Merge pull request futurice#20 from shams-ahmed/topic_security

Add section on Security

README.md

@@ -487,6 +487,24 @@ First you should make your app send crash logs onto a server somewhere so that y
 
 Once you have this set up, ensure that you _save the Xcode archive (`.xcarchive`)_ of every build you release. The archive contains the built app binary and the debug symbols (`dSYM`) which you will need to symbolicate crash reports from that particular version of your app.
 
+### Security
+Sensitive data such as username/password, personal user details, OAuth token etc should always be kept securely in a private location where it not accessible outside of the application. See [Apple security documentation](https://www.apple.com/business/docs/iOS_Security_Guide.pdf) for full brief on how iOS handle this area. 
+
+##### Do's 
+* Store sensitive data in Keychain. if your uncomfortable implementing Keychain library use a wrapper like [UICKeyChainStore](https://github.com/kishikawakatsumi/UICKeyChainStore)
+* Treat untrusted files and data with care, always use NSFileProtectionComplete
+* Remove personal data from memory when it not needed (i.e. self.password = nil;)
+* Protect data in transit (https over ssl)
+* Use TextFields with Secure Option and disable Autocorrection 
+* Clear the pasteboard once the app enters in background
+* UIWebView: set cache policy to ignore local as its stored in the bundle
+* Disable NSLog for the release builds
+* Analysis open source dependency before integrating 
+
+##### Don'ts
+* Do not store sensitive data you don't actually need, or for longer than you need.
+* Never store sensitive data in NSUserDefault, plist or CoreData. it mostly used to basic app feature like is first launch etc…
+* Never store sensitive data in user document directory
 
 ## Building