Preserving confidential Information, while App in background

By StartxLabs
Date 22-05-19
Preserving confidential Information, while App in background
" Making applications secure while network calls is not enough."

 

We have always tried to make the application secure while making network calls. But, Have you ever wondered your application is always vulnerable to security attacks while to put your app in background mode.

When you press home button on iPhone, your application goes in background. When you Re — launches that application, iOS automatically opens the screen on which you previously was.

 

How does iOS do that?

Actually iOS store the screenshot of application current state & stores that screenshot in the filesystem and when you reopen that application, the application comes in foreground mode and iOS gets that screenshot and show as main screen.

Now, consider a scenerio that user is typing confidential information like passwords, email, card number etc. in UITextField and they press home button. The whole screenshot having UITextfields containing confidential information will be saved in filesystem which can be attacked by hacker if he gets access to iPhone physically.

 

So, what can we do!

We can not change the default behaviour of iOS and restrict it to not to store the screenshot in the filesystem but, what if we remove all that UITextField values just before user press home button and the screenshot which will be stored will not contain any input component with confidential information but, when user relaunches the application he will lose all the data that he inputted in input components.

 

So, obviously we have to store that information somewhere, but where?

Could we store that information in User defaults?

No, it’s probably better to not save sensitive data in UserDefaults such for things - as passwords.

We will store this confidential information in Keychain. I am using the StrongBox library to store objects in the keychain.

Storing information is not the biggest concern here. The main issue is to when to store the information and when to retrieve that information from keychain.

 

Here we go!

When user presses home button, Application goes to background mode and applicationWillResignActive inside Appdelegate.swift gets calls but here we don’t have access to our currently visible UIViewController.

We have to get the top most UIViewController of current UIWindow.

 

I have added method in UIViewController extension.

 

After accessing topViewController, we need all the UITextFields in it. 
For that, I have another method to get text fields in particular UIView.

 

Actually, we need to get all the UITextFields present in all subviews of particular UIView, which handles pretty well.

 

After getting all UITextFields in UIView, we need to check if there any UITextFields which may contain user email, password or DOB.

 

So, by using UITextFields properties - keyboardType, inputView and isSecureEntry.

isSecureEntry (which you should always set to true in case of password inputs).
If keyboardType of UITextField is emailAddress then it is email input field. 
If UITextField has datepicker as inputView it has to do something with DOB of user.

 

 

  • We will store all UITextField values in the keychain for a unique/particular key as shown above.
  • Then we will clear the value from UITextField. Now, the screenshot which was stored in the filesystem will contain UITextFields with empty values.

Now, when application comes back in the foreground, we need to pick those stored values from keychain and show them back on UITextFields.

 

We will do this in applicationDidBecomeActive method of Appdelegate.

 

we will do this in almost same manner as we saved values in keychain , but in reverse way.

 

First, we will get topmost ViewController. Then we will get all UITextFields from it’s UIView. After that, we will get stored values from the keychain and set them on the UITextFields of topViewController. Now, it’s time to remove that stored values from the keychain.

This is my approach to handle this security issue.

 

"We transform your idea into reality, reach out to us to discuss it. or wanna join our cool team ping us at [email protected] or apply directly"

subscribe to startxlabs

startxlabs