MASTG-TEST-0276: Use of the iOS General Pasteboard

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Overview

This test checks whether the app uses the systemwide general pasteboard, which is persistent across device restarts and app uninstalls and is accessible by all foreground apps and, in some cases, other devices. Placing sensitive data here may pose a privacy risk.

The test statically analyzes the code for use of the general pasteboard (UIPasteboard.general) and checks whether sensitive data is written using any of the following methods:

• addItems
• setItems
• setData
• setValue

Steps

1. Run a static analysis scan using radare2 for iOS to detect usage of the general pasteboard.
2. Run a static analysis scan using radare2 for iOS to detect usage of the pasteboard methods which may be handling sensitive data.

Observation

The output should contain a list of locations where relevant APIs are used.

Evaluation

The test fails if there are calls to UIPasteboard.generalPasteboard and sensitive data is written to it.