Managing Website Data

iDevice, iOS, iPad, iPhone, Safari, Security, Usability 4 Minutes

Saving usernames and passwords on your device is a comfortable feature of browsers as you can access websites without filling in your credentials every time you visit the site.

Unfortunately there are no detailed descriptions about credentials stored on an iOS-Device neither in the iPad User Guide or help texts in the Settings section nor on Apple’s website ‘Support’. For a normal user without deep technical knowledge the Settings section is very confusing and definitely not self explaining.

20121226-110835.jpg

The different functionalities are based on different actions websites may initiate. In general you cannot know what actions take place when you open a website. It’s specific for the website. Let’s look on the cookies first.

Quoting Wikipedia HTTP Cookies

A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is usually a small piece of data sent from a website and stored in a user’s web browser while a user is browsing a website. When the user browses the same website in the future, the data stored in the cookie can be retrieved by the website to notify the website of the user’s previous activity. Cookies were designed to be a reliable mechanism for websites to remember the state of the website or activity the user had taken in the past. This can include clicking particular buttons, logging in, or a record of which pages were visited by the user even months or years ago.
Although cookies cannot carry viruses, and cannot install malware on the host computer, tracking cookies and especially third-party tracking cookies are commonly used as ways to compile long-term records of individuals’ browsing histories — a major privacy concern that prompted European and US law makers to take action in 2011.
Other kinds of cookies perform essential functions in the modern Web. Perhaps most importantly, authentication cookies are the most common method used by web servers to know whether the user is logged in or not, and which account they are logged in under. Without such a mechanism, the site would not know whether to send a page containing sensitive information, or require the user to authenticate himself by logging in. The security of an authentication cookie generally depends on the security of the issuing website and the user’s web browser, and on whether the cookie data is encrypted. Security vulnerabilities may allow a cookie’s data to be read by a hacker, used to gain access to user data, or used to gain access (with the user’s credentials) to the website to which the cookie belongs.

This article will answer the following questions …

  • Where are the passwords when you open a website, enter your credentials and say YES answering the question of your browser ‘Would You like to save this password?’.
  • How can saved passwords be deleted from your device?
  • What is the best practice to set up the device?

Your iOS-Device can save your usernames and passwords for different websites. The browser can then automatically complete the sign-in fields for you when you next visit these websites. This is highly comfortable but it’s a risky undertaking and you may compromise yourself.

Locations of saved credentials …

Local
The passwords are stored in the iOS-Keychain of your device.
If you have more than one iOS-Device the credentials of one device are not synced with another device via iCloud. On every device you have save your credentials separately.
iCloud
All your credentials are stored in the encrypted iCloud-Backup of your device but only if you use an unlock code for the device. If not, you have to fill in your credentials again if you restore an iCloud- or iTunes-Backup.

Available Settings for Safari …

To manage your passwords and the ability to or not to save them go to
Settings – Safari.

Turning on the AutoFill – Option …

You may turn on the AutoFill option if you often visit websites where you have to sign in first. If this option is turned on you will be asked whether your device should save the login information or not.

20121226-114855.jpg

It is highly recommended not to save credentials for online banking, online shops or other websites containing sensitive data.

Deleting all saved credentials …

Go to Settings – Safari – AutoFill (section General) – Clear All

Deleting the data for a specific website …

Go to Safari, scroll down to Advanced and tap on Edit to delete the stored data for a specific site.

20121226-113427.jpg

This in general does not delete the credentials you provided for the website.
The feature is not described in the user manual and its a bit cloudy what this function really does. So do not use it.

Summary …

  • The only way to delete all website credentials from your device is:
    Go to Settings – Safari – AutoFill and tap on Clear All
  • McAfee Best Practices for Avoiding iOS Security Issues
  • Use a password keeping application with an integrated browser like 1Password (AgileBits) to securely access websites managing personal data of you.
  • As you can see there is a lack in iOS because there is no functionality for deleting all data (credentials, cookies and other data) of a specific website. If you go to Safari – Advanced – Website Data and delete the data for e.g. apple.com your username and your password will still be available when opening the site.

If you are interested in some technical details …

Apple iOS Security Basics

Published