This analysis pattern identifies the insecure storage of sensitive data in Swift applications for iOS and macOS. The weakness occurs when UserDefaults.standard.set() is used to save information that appears to be a credential, secret, or cryptographic key. A static analysis check can detect this by inspecting calls to this function and examining the key name or the variable being stored for common sensitive-data keywords, such as “password,” “api_key,” “secret_token,” or “private_key.”
Storing such information in UserDefaults constitutes a significant security vulnerability (CWE-311) because it saves the data in an unencrypted property list (plist) file on the device’s filesystem. This file can be easily accessed by an attacker with local access to the device or through other system compromises, leading to sensitive data exposure. To mitigate this risk, applications should leverage the system Keychain, which is an encrypted and secure database provided by the operating system specifically for storing secrets.
