Apple provides the option for developers to utilize an object called "UIPasteboard" which allows a user to share data from one place to another within an application, and also share data from one application to the next.
A secure approach to utilizing this object is to set an expiration date and time, at which point the system will remove this data from the pasteboard.
The application fails to set an expiration date for pasteboard items set on the general pasteboard.
This means that the data could potentially persist after it is needed withiing the context of the app, and potentially by available to other applications.
Steps to Reproduce
While the app is running on a physical device, this test detects whether any UIPasteboard object was utilized without setting an expiration for the data.
Business Impact
Sensitive data may be stored far longer than necessary as a result of no expiration date being set.
Anyone with access to the device would have access to this potentially sensitive information.
Remediation Resources
Set the expiration for pasteboard items using the UIPasteboardOptionExpirationDate in calls to setItems:options:.
For more information, see the UIPasteboard documentation.
Finding Description
Apple provides the option for developers to utilize an object called "UIPasteboard" which allows a user to share data from one place to another within an application, and also share data from one application to the next. A secure approach to utilizing this object is to set an expiration date and time, at which point the system will remove this data from the pasteboard. The application fails to set an expiration date for pasteboard items set on the general pasteboard. This means that the data could potentially persist after it is needed withiing the context of the app, and potentially by available to other applications.
Steps to Reproduce
While the app is running on a physical device, this test detects whether any UIPasteboard object was utilized without setting an expiration for the data.
Business Impact
Sensitive data may be stored far longer than necessary as a result of no expiration date being set. Anyone with access to the device would have access to this potentially sensitive information.
Remediation Resources
Set the expiration for pasteboard items using the
UIPasteboardOptionExpirationDatein calls tosetItems:options:. For more information, see the UIPasteboard documentation.Risk and Regulatory Information
Severity: low CVSS: 2.5
Application
See more detail in the NowSecure Report