Skip to content

MASTG-TEST-0073: Testing UIPasteboard

Deprecated Test

This test is deprecated and should not be used anymore. Reason: New version available in MASTG V2

Please check the following MASTG v2 tests that cover this v1 test:

Overview

Static Analysis

The systemwide general pasteboard can be obtained by using generalPasteboard, search the source code or the compiled binary for this method. Using the systemwide general pasteboard should be avoided when dealing with sensitive data.

Custom pasteboards can be created with pasteboardWithName:create: or pasteboardWithUniqueName. Verify if custom pasteboards are set to be persistent as this is deprecated since iOS 10. A shared container should be used instead.

In addition, the following can be inspected:

  • Check if pasteboards are being removed with removePasteboardWithName:, which invalidates an app pasteboard, freeing up all resources used by it (no effect for the general pasteboard).
  • Check if there are excluded pasteboards, there should be a call to setItems:options: with the UIPasteboardOptionLocalOnly option.
  • Check if there are expiring pasteboards, there should be a call to setItems:options: with the UIPasteboardOptionExpirationDate option.
  • Check if the app clears the pasteboard items when going to background or when terminating. This is done by some password manager apps trying to restrict sensitive data exposure.

Dynamic Analysis

Detect Pasteboard Usage

Hook or trace the following:

  • generalPasteboard for the system-wide general pasteboard.
  • pasteboardWithName:create: and pasteboardWithUniqueName for custom pasteboards.

Detect Persistent Pasteboard Usage

Hook or trace the deprecated setPersistent: method and verify if it's being called.

Monitoring and Inspecting Pasteboard Items

To monitor and inspect pasteboard items at runtime you can follow the instructions from Monitoring the Pasteboard.