[MSTG-PLATFORM-10] Additional option to prevent caching

OWASP / owasp-mastg

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).

https://mas.owasp.org/

Creative Commons Attribution Share Alike 4.0 International

11.66k stars 2.3k forks source link

[MSTG-PLATFORM-10] Additional option to prevent caching #2106

Open irbishop opened 2 years ago

irbishop commented 2 years ago

MSTG Chapter

0x06d-testing-data-storage

File Line Number

448

Context

I came across this article: https://blog.silentsignal.eu/2016/05/06/ios-http-cache-analysis-for-abusing-apis-and-forensics/ which talked about setting the Cache-Control header to prevent caching on iOS devices among other things. I tested it out on iOS 13.4.1 with modified responses containing Cache-Control: no-cache, no-store. The WebKit folders and application specific folder containing Cache.db were not created.

irbishop commented 2 years ago

I tested it on 2 apps, one written using Xamarin the other in Swift.