Identifying Data Leaks in iOS ApplicAtiOnS

Many iOS applications unintentionally leak data to other applications or adversaries with access to the filesystem. This typically occurs when a developer uses an API that has side effects the developer is not aware of and, therefore, does not take preventative measures to secure the data.

Here we look at some of the ways a developer using the iOS APIs may inadvertently leak sensitive application data.

lEAKinG DAtA in

ApplicAtiOn lOGS

Logging can prove to be a valuable resource for debugging during development. However, in some cases, it can leak sensitive or proprietary information, which is then cached on the device until the next reboot.

[20:29:16.6732] requested restore behavior: Update

[20:29:16.6743] requested variant: Update

[20:29:16.6752] requested restore behavior: Update

[20:29:16.6762] failed to find key FDRSupport in variant

iDEntiFYinG pAStEBOARD lEAKAGE

Many developers want to offer users the ability to copy and paste data. If the pasteboard is used to copy sensitive data, depending on how it is implemented, data could be leaked from the pasteboard to other third-party applications.

HAnDlinG ApplicAtiOn

StAtE tRAnSitiOnS

When an application is suspended in the background (for example, if the user receives an incoming call), iOS takes a snapshot of the app and stores it in the application’s cache directory. When the application is reopened, the device uses the screenshot to create the illusion that the application loads instantly. Any system that can be paired with the device can access the snapshot.

- (void)applicationDidEnterBackground: (UIApplication *)application

KEYBOARD cAcHinG

iOS customizes the autocorrect feature by caching input that is typed into the device’s keyboard. Almost every non-numeric word is cached on the filesystem in plaintext in the keyboard cache file. This means that application data you wouldn’t want to be cached—such as usernames, passwords, and answers to security questions—could be inadvertently stored in the keyboard cache.

WQ E R T Y U I O P

password1pass passing

Http RESpOnSE cAcHinG

To display a remote website, an iOS application often uses a UIWebView to render the HTML content. Depending on how the URL loading is implemented, a UIWebView can cache server responses to the local filesystem. When sensitive content is returned in server responses, it could potentially be stored in the cache database.

cfurl_cache_blob data

cfurl_cache_ response

cfurl_cache_ receiver_data

cfurl_cache_ schema_version

The Mobile Application

Hacker’s Handbook

by Dominic chell, tyrone Erasmus, Shaun colley, and Ollie Whitehouse

about iOS application vulnerabilities and how to write secure iOS apps in

Find out more