MASTG-TEST-0276: Use of the iOS General Pasteboard

Overview

This test checks whether the app uses the systemwide general Pasteboard, which is persistent across device restarts and app uninstalls and is accessible by all foreground apps and, in some cases, other devices. Placing sensitive data here may pose a privacy risk.

The test statically analyzes the code for use of the general pasteboard (UIPasteboard.general) and checks whether sensitive data is written using any of the following methods:

• addItems
• setItems
• setData
• setValue

Steps

1. Use Exploring the App Package to extract the relevant binaries from app package.
2. Use Static Analysis on iOS to look for the relevant APIs in the app binaries.

Observation

The output should contain a list of locations where relevant APIs are used.

Evaluation

The test case fails if calls are made to UIPasteboard.generalPasteboard and sensitive data is written to it.

Further Validation Required:

Since determining what constitutes sensitive data is context-dependent, inspect each reported code location using Reviewing Disassembled Objective-C and Swift Code:

• Determine whether the data written to the pasteboard is sensitive (e.g., passwords, tokens, or personal data).