iOS App Security - Backgrounding screenshot safe1

iOS App Security – Backgrounding screenshot

Every time security of apps comes up in any conversation it turns out a lot of people are unaware of this being an issue at all. Simple things like the screenshot iOS takes every time your app gets backgrounded are not the common knowledge I expected it to be by now. In this blog post I wanted to share a few things I learned during a course by Ken van Wyk.

First of all, a must have is Macroplants iExporer. This will let you browse any connected iDevice, including some of the data that gets stored within the apps on the device. Using this tool to have a look at the apps your have built will show you what data is easily accessible for anyone who can hookup the device to their computer. (Spoiler: Even locked and password protected devices can be browsed through iExplorer). Download it here and use it to your advantage.

A lot of these security ‘issues’ have everything to do with knowing the platform you are building for. Take for example the backgrounding issue mentioned earlier. As it turns out, iOS will take a screenshot of your app every time it is sent to the background. This screenshot is later used to make your iPhone look a bit quicker when you open your app again, while the app is loaded, iOS will show the screenshot that was taken earlier. If you ever had an app taking a moment before responding again, you were probably pushing buttons on a screenshot. The issue here is that any private data that is on the screen will be stored when the screenshot is taken, these are easily found using iExplorer (or any other application with the same kind of access).

 

 

Luckily for us, this is fairly easy to anticipate and damage can be prevented with only a few lines of code. In your app delegate you can find the following functions:

UsingĀ  – (void)applicationDidEnterBackground:(UIApplication *)applicationĀ  we can ensure to hide any sensitive data from being stored in the screenshot. The most common ways to do this are to show your Default.png image on top of anything else. This way any screenshot will just be a copy of your startup/loading screen, and as an added bonus, when someone starts the app agian they will see a familiar screen.

Another way of doing things is to send a notification using NSNotificationCenter. You can then just add an observer for every view where you might want to hide some data. In the specific view you can decide to just hide certain fields or the whole screen.

This example as well as many others is also found in iGoat, an application that will help you to learn a bit more about iOS application security leaks and how to prevent them. I can recommend everyone to check out and download iGoat here.

 

2 Comments

  1. Adisa Madison February 3, 2016
  2. Ariel September 5, 2013