0

Does non-persistent data ever need to be encrypted? If I had a project with confidential data stored in non-persistent class variables should I be doing anything to protect this data?

I am developing for an iOS application.

Community
  • 1
Declan McKenna
  • 273
  • 1
  • 9
  • It does not matter if the data are persistent or not but if somebody can access the data while they are there. And if this is possible depends on various factors so that no general answer is possible. – Steffen Ullrich Apr 08 '16 at 14:38
  • @SteffenUllrich I think the "Does non-persistent data ever need to be encrypted?" question can be answered – Neil Smithline Apr 08 '16 at 15:06
  • @NeilSmithline: yes, given some specific attack model there will be cases where encryption should be done and where it is not needed. But I actually don't know how to be more specific in that, i.e. without a known attack model and use case. – Steffen Ullrich Apr 08 '16 at 15:22
  • 1
    What is your threat model? Is there any regulatory requirements that applies? Is this on a server or a client? The answer varies depending on these parameters and more. – Lie Ryan Apr 08 '16 at 17:02
  • I am not sure about regulatory requirements other than that the variables I'm using can potentially carry SPI, so if there's any possibility of them being accessed by anyone other than the user I should encrypt them. This is a client mobile device, my app doesn't have a backend. – Declan McKenna Apr 10 '16 at 11:00

1 Answers1

3

PCI DSS v3 section 6.5 calls out the need to protect sensitive data even if it is in memory, to help thwart memory scraping attacks. So if you expect to need PCI compliance, yes, you should protect sensitive data even if it's in memory.

I don't know what technology you are using, but even non-persistent data can stick around for a while. For example, strings in .NET don't get automatically destroyed when the all of their references are gone. Strings are stored on the heap and will remain there until the garbage collector removes them.

Encrypting data in ram can be tricky since you now need to protect the encryption key. A native feature like .NET's Secure String, or a hardware security module can be useful in such situations.

I have seen this finding on penetration tests.

md_1976
  • 129
  • 2