Closed maxvonhippel closed 2 years ago
Hi @maxvonhippel, this change seems like a great suggestion, and we greatly appreciate the suggestion; however, coinbase-ios-sdk
is being deprecated, and so we will be closing this ticket.
Thank you for your contribution.
The demo app currently stores the
accessToken
inNSUserDefaults
. If the user backs their device up to their laptop or iCloud without turning on encryption, the token can be reverse engineered from the.plist
files encoded in that backup. I think this could present a possible attack vector (if the user backs their device up without encryption within 2 hours of app use). I reported this on HackerOne, and was encouraged instead to open an issue here on the repository.My suggestion is to cut a PR in which a third-party Keychain wrapper such as Lockbox is used to replace the
NSUserDefaults
writing and reading with Keychain writing and reading for theaccessToken
. I'm happy to write this myself, but figured I should ask first if: