The iPhone/iPad Vulnerability that Everyone Forgets
Recently the Pure Hacking technical team completed a regular skills update session on iPhone application security with a company that is a world leader in identifying mobile application vulnerabilities. Most mobile application vulnerabilities occur when developers either insecurely store sensitive information in the application or use client side controls to enforce server security. With 1,000,000 apps in the app store today this has serious repercussions for naive consumers. However, one unique IOS vulnerability stood out as it was an IOS “feature” that ironically caused the vulnerability. It was also so simple and easy for developers to forget about.
So when does a feature become a vulnerability?
In order to provide a seamless visual transition when switching between applications, IOS uses a clever caching technique. When you double-click the home button you bring up the list of recently used apps as shown below.
These apps that are not in use are in a suspended state so they don’t take up unnecessary system resources. IOS caches a screenshot of the last screen of the application and when you click on it the application resumes. The way it works is that the screenshot is loaded first and the application starts up again shortly after. This caching technique provides the user with the impression that their application has resumed immediately and their phone is very fast at switching between applications. This “feature” on its own is not vulnerability, and does exactly what it is supposed to do. However what happens if you lose your phone or if it’s stolen?
This is where Pre-Loaded Apps Become Unstuck
These screenshots can be accessed (no Jailbreaking required) using any free tool like ‘ifunbox’ http://dl.i-funbox.com/ and then navigating to the cache/snapshots directory:
The impact of this vulnerability is determined by what screen is showing when the user minimises the application. Viewing these snapshots can disclose a range of sensitive information if the user minimises the application on a sensitive screen as shown in the screenshots below.
“Whatsapp” is a common chat application that is shown disclosing chat history:
Common Password Safe application is closing credit card numbers:
So where does the responsibility lie on this vulnerability? Is it the user’s responsibility not to minimise the application when there is sensitive information? Is it the developers responsibility protect users from doing this?
So how do you fix it?
The Apple developer documentation has a method called “applicationDidEnterBackground: “that developers could use to blank out or blur the screen before it is minimised. This will prevent sensitive data from being captured in a screenshot. More information on how to use this method can be found here: