Missing Encryption of Sensitive Data
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-311: Missing Encryption of Sensitive Data |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Low |
Description#
Sensitive data such as passwords, API keys, or secret tokens are being stored in UserDefaults, which does not provide adequate security for confidential information. Such data should be stored securely using the Keychain, not UserDefaults.
Impact#
If exploited, attackers with access to the device or backup files could easily extract sensitive information from UserDefaults, potentially leading to account compromise, unauthorized API access, or exposure of confidential data. This puts both user security and organizational assets at significant risk.