Is it safe to append sensitive data to the end of https urls used in an iOS App?

StackOverflow https://stackoverflow.com/questions/23464954

  •  15-07-2023
  •  | 
  •  

Question

I am using an iPhone app to ping a "https" URL that looks like the following:

https://domain.com/server/unique-id/SecretInformationString

I'm assuming server logs would be vulnerable, as well as iPhone history perhaps... but would someone outside of the local network have any idea of what "SecretInformationString" is?

Was it helpful?

Solution

Information added to the end of the URL will not be secure as the URL itself is sent in plain text before your request is encrypted.

If you were to make a POST request with the secret values instead the URL will still be visible to the outside world in plaintext however your post data would be encrypted.

Edit: If you are making multiple requests with the same secret data (i.e. you are using it as an authentication token) you may want to consider using a secure cookie.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top