Identifying Data Leaks in iOS ApplicationS
Many iOS applications unintentionally leak data to other applications or adversaries with access to the filesystem. This typically occurs when a developer uses an API that has side effects the developer is not aware of and, therefore, does not take preventative measures to secure the data.
Here we look at some of the ways a developer using the iOS APIs may inadvertently leak sensitive application data.
lEAKinG DAtA in ApplicAtiOn lOGS
Logging can prove to be a valuable resource for debugging during development. However, in some cases, it can leak sensitive or proprietary information, which is then cached on the device until the next reboot. [20:29:16.6732] requested restore behavior: Update [20:29:16.6743] requested variant: Update [20:29:16.6752] requested restore behavior: Update [20:29:16.6762] failed to find key FDRSupport in variant
iDEntiFYinG pAStEBOARD lEAKAGE
Many developers want to offer users the ability to copy and paste data. If the pasteboard is used to copy sensitive data, depending on how it is implemented, data could be leaked from the pasteboard to other third-party applications.
HAnDlinG ApplicAtiOn StAtE tRAnSitiOnS
When an application is suspended in the background (for example, if the user receives an incoming call), iOS takes a snapshot of the app and stores it in the application’s cache directory. When the application is reopened, the device uses the screenshot to create the illusion that the application loads instantly. Any system that can be paired with the device can access the snapshot. - (void)applicationDidEnterBackground: (UIApplication *)application
iOS customizes the autocorrect feature by caching input that is typed into the device’s keyboard. Almost every non-numeric word is cached on the filesystem in plaintext in the keyboard cache file. This means that application data you wouldn’t want to be cached—such as usernames, passwords, and answers to security questions—could be inadvertently stored in the keyboard cache. pass password1 Q W E R T Y U passing I O P
Http RESpOnSE cAcHinG
cfurl_cache_blob data cfurl_cache_ response cfurl_cache_ receiver_data cfurl_cache_ schema_version To display a remote website, an iOS application often uses a UIWebView to render the HTML content. Depending on how the URL loading is implemented, a UIWebView can cache server responses to the local filesystem. When sensitive content is returned in server responses, it could potentially be stored in the cache database.
Find out more about iOS application vulnerabilities and how to write secure iOS apps in The Mobile Application Hacker’s Handbook by Dominic chell, tyrone Erasmus, Shaun colley, and Ollie Whitehouse