From the course: iOS Development: Security
Exposing sensitive data through copying and pasting - iOS Tutorial
From the course: iOS Development: Security
Exposing sensitive data through copying and pasting
- [Instructor] When the copy and paste text or other data in iOS, the content goes in the pasteboard. The pasteboard is a system-wide shared resource. The text copied in one application can be read by other parts of the same app and by other apps too. Thus, if we allow the copying of sensitive data like passwords of PIN codes, those become available to all apps in the system. In this demo, I'm going to demonstrate the issue with the general pasteboard. I've gone ahead and created a simple app called Pasteboard. If you want to follow along with me, you can the project in the Exercise Files folder, Chapter two, two four, begin. The app has three text fields that resemble a simple login UI. We can enter a Username, Password, and the Password again for validation. Let's the inspect these text views. I'm going open this panel and switch the Attributes Inspector. Now let's select the Username field. As you can see the Content Type is set to Username. For the Password is set to Password, and Repeat Password is also a Password Content Type. Now let's run the demo. I enter secure user for the Username, and SuperSecretPassword for the password. Next, instead of typing the password again in the Repeat Password field, I use the copy and paste feature. Let's copy it and paste it over here. Now let's switch to another app. For example the Reminders app. Let's add a new reminder and I use the paste function again. Let's add a new reminder and I use the paste function again. And our SuperSecretPassword can be seen also here. All the content that gets copied to the general pasteboard is available to all the apps in the system. This is a useful feature but it can also become a vulnerability.
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Contents
-
-
-
-
(Locked)
Purpose strings2m 7s
-
(Locked)
Request authorization for system features4m 7s
-
(Locked)
Adding the missing purpose string1m 34s
-
Exposing sensitive data through copying and pasting2m 16s
-
(Locked)
The pasteboard spy app2m 24s
-
(Locked)
Prevent pasteboard leakage without coding1m 11s
-
(Locked)
Prevent pasteboard leakage with coding2m 11s
-
(Locked)
Using an app-specific pasteboard5m 33s
-
(Locked)
Data leakage through app screenshots2m 16s
-
(Locked)
Clearing data before moving to the background3m 7s
-
(Locked)
Obscuring the snapshot before moving to the background3m 30s
-
(Locked)
Hacking the UserDefaults4m 40s
-
(Locked)
-
-
-
-
-