Home button on iPhone, iPad poses data leakage risk
When the Home button on the Apple (NASDAQ: AAPL) iPhone and iPad creates a screenshot of the current view and stores it as an image on the device, it can pose a risk that data in the screenshot could be leaked, according to a mobile app security assessment conducted by Mushegh Hakhinian.
Hakhinian is a security architect with IntraLinks, a provider of enterprise content management and collaboration products.
During a presentation to the Cloud Security Alliance Congress last week, Hakhinian offered users two options to prevent data from leaking through the screenshot: set the "application does not run in background" property to 'YES' in info.plist file, or in applicationDidEnterBackground, change the current view to a standards sanitized view.
In addition, Hakhinian said that he ran an emulator that looked at the directory that $TMPDIR points to in Mac OS X and found temporary data left behind. He recommended that app developers write a delegate to remove data before exiting the app.
"The main thing about mobile apps is that confidential data may end up on mobile devices, which can be lost, stolen, jailbroken, or infected. So the focus of mobile app security should be protecting the data," Hakhinian told FierceMobileIT in an interview.
Hakhinian offered four secure design principles for mobile app developers: implement secure key management for encryption, do not store data locally (make sure the enterprise system, not the app, controls whether the data can be cached), protect configuration files (make sure the configuration information is encrypted); and control app lifecycles (explicitly disable the ability of the app to run in the background so it will unload).
To uncover mobile app security issues, Hakhinian recommended that developers do a full code review before releasing the app and run the app through debuggers and simulators to find data left behind.
"Mobile devices and apps handle very sensitive, mission-critical data in the enterprise," noted Hakhinian. "Therefore, enterprises and mobile app developers need to take security measures to ensure that mobile apps do not leak," he added.