在 iOS 上,我想知道,如果我这样读取用户提供的密码值:
NSString* strPwd = UITextField.text;
//Check 'strPwd'
...
//How to clear out 'strPwd' from RAM?
我只是不喜欢让敏感数据“悬空”在 RAM 中。知道如何将其归零吗?
问问题
1649 次
2 回答
9
Basically you really can't. There are bugs filed with Apple over this exact issue. Additionally there are problems with UITextField and NSString at a minimum.
To reiterate the comment in a now deleted answer by @Leo Natan:
Releasing the enclosing NSString object does not guarantee the string bytes are zeroes in memory. Also, if a device is jailbroken, all the sandboxing Apple promises will be of no use. However, in this case, there is little one can do, as it is possible to swap the entire runtime in the middle of the application running, this getting the password from the memory.
Please file another bug with apple requesting this, the more the better.
于 2013-01-12T18:14:13.620 回答
-1
虽然NSString没有此功能(出于其他地方提到的封装原因),但让您的应用程序使用常规的旧 C 字符串应该不会太难,它们只是指向内存的指针。一旦你有了那个指针,当你完成后就很容易清除东西。
这对用户输入的文本字段(使用NSString-s 并且我们无法更改它们)没有帮助,但您当然可以将应用程序的所有敏感数据保存在基于指针的内存中。
我没有尝试过它(我没有当前的越狱设备),但尝试一下也可能很有趣NSMutableString——比如:
// Code typed in browser; may need adjusting
// keep "password" in an NSMutableString
NSInteger passLength = password.length;
NSString *dummy = @"-";
while (dummy.length < passLength)
{
dummy = [dummy stringByAppendingString: @"-"];
}
NSRange fullPass = NSMakeRange(0, passLength);
[password replaceOccurancesOfString: password
withString: dummy
options: 0
range: fullPass];
注意:我不知道这是否符合您的要求;这只是我在输入之前的答案时想到的。即使它现在确实有效,我想这取决于实现,它是脆弱的(意思是:将来可能会破坏),所以不应该使用。
不过,这可能是一个有趣的练习!:)
于 2015-12-01T00:48:48.803 回答