Is it secure to communicate with localhost via a socket without TLS or similar?

Question

I'm writing a library that implements a distributed object system over a socket connection. I'm requiring that users sign any messages sent, at least when communicating over a network, as otherwise an attacker could pose as one of the participants and remotely call methods on the other, which would be a Bad Thing.

The main use of this library is for network communications. However I want to make it as simple as possible to get a 'hello world' example running locally without compromising someone's machine. Is it reasonable to assume that incoming data from a connection to localhost is really from localhost without securing it in some other way? Are there any other reasons that this might not be secure?

In case it's relevant, I'm working on OSX/iOS.

Answer 1

Connection on loopback is secure unless you have remote login enabled on the machine. Users can easily redirect connections with ssh(1).

Whether it is a good idea to complicate your code by not verifying messages from loopback is a different question that you have to ask yourself.