Open in app

Sign in

Write

Sign in

Creating Secure iOS App — Part 2

Pandurang Yachwad
Apps Studio
Published in
2 min readNov 14, 2018

Side Channel data leakage

In this part, another aspect of data leakage and how to avoid it. Part 1 covers local data storage risks. Side channel data leakage happens whenever data is being leaked unintentionally as features of the Operating System (OS) and tools used. Common examples of the side channel data leakage:

  1. Automatic background snapshot
  2. Information leakage thru pasteboard
  3. Keystroke Logging
  4. Debug Logging

Here is how data being leaked and how it can be avoided.

Automatic Background snapshot: Whenever app transitioned to background, system captures the snapshot of the app main window and saves in the app folder on phone. Captured snapshot is briefly shown to user while transitioning back to the app. If there is sensitive information on screen, that is exposed to any hack.

Best way to avoid this kind of leak is by adding splash screen when app is being transitioned to background and removing it when it comes to foreground. Here is sample code in AppDelegate.swift:

var backgroundImage = UIImageView(image: UIImage(named: “backrgoundImage.png”))func applicationDidEnterBackground(_ application: UIApplication) {
//Add the splash screen
        self.window?.addSubview(backgroundImage)
}func applicationWillEnterForeground(_ application: UIApplication) {
// Called as part of the transition from the background to the active state; here you can undo many of the changes made on entering the background.
        backgroundImage.removeFromSuperview()
}

Information Leakage thru pasteboard: Pasteboard is secured way to share data within and between the apps. When user cut/copy data in the app it gets copied to shared buffer and accessible by other apps. If you want to avoid data being copied to shared buffer, it’s good practice to empty the pasteboard of the app to empty while app is being transitioned to background. Here is sample code:

func applicationDidEnterBackground(_ application: UIApplication) {
        UIPasteboard.general.items = []
}

Keystroke Logging: Autocorrection feature of iOS caches all entries from user keyboard except — Secured text, string with numbers, small strings, textfield marked by developer as not to be cached. You can avoid keystroke logging by disabling autocorrection type to ‘No’ while building UI or can be done programmatically as below.

textView.autocorrectionType = .no

Debug Logging: Developers use print statements to print some data while debugging the app and it’s quite useful for debugging but that can expose the data if app is moved to production with those debug logs. It’s advisable to remove all debug logs before app is submitted to app store. Also, it’s best practice to use logs during debug mode only. That can be done by adding DEBUG flag in Swift Complier flags and adding below code in AppDelegate:

func DLog(message: String, function: String = #function) {
   #if DEBUG
     print("\(function): \(message)")
   #endif
}
IOS
Side Channel Leak
Secure Ios App
App Security
Data Security

--

--

Pandurang Yachwad
Apps Studio

Written by Pandurang Yachwad

62 Followers
Editor for

Mobile App Developer and hustler. Life is short, utilize to fullest. Just do it!

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams