I am facing an issue in an iOS application that uses a UIWebView to render HTML5 code that is part of the application bundle.
This HTML5 code makes ajax requests to our backend which may potentially have sensitive data in them. This is all done over HTTPS and our application never stores the sensitive data. However, when doing security testing for the application, we found that http post requests where being stored in a local SQL Lite database (cache.db) as of iOS 5.
It was easy to manage that, by setting the NSURLCache global object to have zero disk storage, and deleting the file when appropriate.
Now however, it looks like in iOS 6.1 Apple has changed the implementation again, and the data is being stored in cache.db-wal. I have limited knowledge of SQL Lite, but I think this is a file created when SQL Lite is initialized with certain options.
Any suggestions as to a fix?
After further research, it seems that the suggestion by Hot Licks above was correct, by adding the "no-cache, no-store" value to the HTTP response, the HTTP request values where not logged in the SQLite database.
For example, in ASP.Net MVC:
public ActionResult PostSensitiveData(string data)
{
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();
return Json(data);
}