How to stop leaking information through multitasking
When we talk about security about iOS application, we usually think about things like SSL certificates, storing information securely in the keychain, etc.
This is all good, and it is super great that we have such a wide focus on these days. However, there is one small culprit that a lot of app makers seem to overlook, and I don’t blame them.
I’m talking about the multitasking feature that is built-in to the operating system. So what makes it a culprit? Well basically, if the user decides to leave your application, the operating system will take a snapshot of the current view controllers current state and save it as the placeholder for your application. But what if the screen that you just left has some personal information about you that you don’t want to leave the application. Maybe you’re using a bank application, and a colleague or friend borrows your phone, she or he will be able to read parts of the information that you last look at using that app. It might sound like I’m over exaggerating or making an issue out of a non-issue. Maybe, maybe not. All I know is that if I use an application that stores personal or sensitive information, I’d want it to stay within the application and not leak in any way, shape or form.
So, this is what we did to dash a bit of extra added security to our application.
Because we didn’t know exactly which screen should be secure or which would be fine to show, we took the path which tried to secure the entire application. Here is what we did.
When building iOS applications, you need to provide an application delegate. This class has methods that get invoked when the context changes for our application. The two scenarios that we will listen to using our application delegate are:
- func applicationDidBecomeActive(_ application: UIApplication)
- func applicationWillResignActive(_ application: UIApplication)
You probably already know as much and even if you don’t; you can probably guess when these methods are invoked. The first one gets invoked when our application became active and the latter one will be invoked when the user is leaving our application.
So to dash a bit of added security we will simply cover the current window with a blurred view so that prying eyes won’t see what is being displayed on the screen. Using blur is not the safest option, but for the time being, we only want to keep people out that have direct access to the phone while someone is borrowing it. If you want additional security, you could display the applications launch screen or a picture of a cat; it’s up to you.
Enough talk, lets look at the code.
As you can see, it is not a lot of code to make a barrier that blurs whatever is on screen. When the application resigns its active state, we add the visual effects view to the root view controllers view. We animate the alpha value to make the transition buttery smooth. When the application becomes active again, we reverse the animation and finally remove the visual effect view from the view hierarchy. You can play a bit with the blur effect to make it match your applications look and feel, we went with .light for this demo as it worked best with the background.
End result
Remember that just adding this little bit of security is not enough, you probably want to add a pincode screen and do all the other security related tasks that you normally do. This is just to stop your app from leaking information to the multitasking feature on iOS.
