Geek Answers Handbook

How safe is the information off the screen?

My iOS app has a lock screen, which when turned on covers the entire UIScreen . However, outside the boundaries of UIScreen , I have panels with confidential information that are not covered by the lock screen. (These panels can be inserted and exited when the screen is unlocked.)

How safe is it to have information beyond the boundaries of UIScreen ? Can an attacker use some kind of external display or debugger or some other mechanism to β€œreveal” what is outside the UIScreen screen?

[Lock screen is WKWebView , which by default has a magnifying glass function. I found that when triggered around the edges of a UIScreen magnifying glass shows a few pixels from the edge of the UIScreen . Since then I have turned off the magnifying glass with this answer .]

+5
source share
2 answers

"Hiding" off-screen views is not safe at all. Anyone who has a Jailbroken device can connect to your application while running using MobileSubstrate and call [[[UIApplication sharedApplication] keyWindow] recursiveDescription] to [[[UIApplication sharedApplication] keyWindow] recursiveDescription] hierarchy. There are also tools like Reveal and Spark Inspector that provide an interface similar to the Xcode view debugger, for viewing all the views currently in the UIWindow application.

As zambrey suggested, it would be better to initialize any views using confidential information as needed and delete them when they are fired and no longer needed by the user, instead of keeping them out of sight, but still in the window hierarchy. The benefits are not just security, but fewer views in memory will improve the performance of your application and reduce the memory footprint.

If you are concerned about security, you can check for a malicious device at runtime and restrict some features to those devices.

+9
source

Technically, everything that is in memory can be detected on a jailbroken device. Hiding sensitive ideas outside of what is currently displayed is not a security measure. After the device is locked, the views and the contents of these views will be displayed. Even if you have a password text field set as "secureTextEntry", and even if you hide it, the contents can be read using a debugger attached to the application if the text field is not freed. And even when the text field is freed, the memory can be flushed, and if this memory has not been redefined, you can find the contents of this view.

Now, if you're not worried about the Jailbroken script, and want to find other options when someone who doesn't have a jailbroken device can explore the views, you should probably check Accessibility features included in iOS . VoiceOver will be able to read loud text that is hidden if accessibility in this view is not disabled properly. Removing views from accessibility tools is sometimes difficult because changing a parent can affect all subitems (read the UIAccessibility documentation )

Setting accessibilityElementsHidden to YES in the parent view or isAccessibilityElement to NO in the view should work.

+5
source

More articles:


All Articles