hacktricks/mobile-pentesting/ios-pentesting/ios-uipasteboard.md



{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>

{% embed url="https://websec.nl/" %}


Data sharing within and across applications on iOS devices is facilitated by the [`UIPasteboard`](https://developer.apple.com/documentation/uikit/uipasteboard) mechanism, which is divided into two primary categories:

- **Systemwide general pasteboard**: This is used for sharing data with **any application** and is designed to persist data across device restarts and app uninstallations, a feature that has been available since iOS 10.
- **Custom / Named pasteboards**: These are specifically for data sharing **within an app or with another app** that shares the same team ID, and are not designed to persist beyond the life of the application process that creates them, following changes introduced in iOS 10.

**Security considerations** play a significant role when utilizing pasteboards. For instance:
- There is no mechanism for users to manage app permissions to access the **pasteboard**.
- To mitigate the risk of unauthorized background monitoring of the pasteboard, access is restricted to when the application is in the foreground (since iOS 9).
- The use of persistent named pasteboards is discouraged in favor of shared containers due to privacy concerns.
- The **Universal Clipboard** feature introduced with iOS 10, allowing content to be shared across devices via the general pasteboard, can be managed by developers to set data expiration and disable automatic content transfer.

Ensuring that **sensitive information is not inadvertently stored** on the global pasteboard is crucial. Additionally, applications should be designed to prevent the misuse of global pasteboard data for unintended actions, and developers are encouraged to implement measures to prevent copying of sensitive information to the clipboard.

### Static Analysis

For static analysis, search the source code or binary for:
- `generalPasteboard` to identify usage of the **systemwide general pasteboard**.
- `pasteboardWithName:create:` and `pasteboardWithUniqueName` for creating **custom pasteboards**. Verify if persistence is enabled, though this is deprecated.

### Dynamic Analysis

Dynamic analysis involves hooking or tracing specific methods:
- Monitor `generalPasteboard` for system-wide usage.
- Trace `pasteboardWithName:create:` and `pasteboardWithUniqueName` for custom implementations.
- Observe deprecated `setPersistent:` method calls to check for persistence settings.

Key details to monitor include:
- **Pasteboard names** and **contents** (for instance, checking for strings, URLs, images).
- **Number of items** and **data types** present, leveraging standard and custom data type checks.
- **Expiry and local-only options** by inspecting the `setItems:options:` method.

An example of monitoring tool usage is **objection's pasteboard monitor**, which polls the generalPasteboard every 5 seconds for changes and outputs the new data. 

Here's a simple JavaScript script example, inspired by the objection's approach, to read and log changes from the pasteboard every 5 seconds:

```javascript
const UIPasteboard = ObjC.classes.UIPasteboard;
const Pasteboard = UIPasteboard.generalPasteboard();
var items = "";
var count = Pasteboard.changeCount().toString();

setInterval(function () {
  const currentCount = Pasteboard.changeCount().toString();
  const currentItems = Pasteboard.items().toString();

  if (currentCount === count) { return; }

  items = currentItems;
  count = currentCount;

  console.log('[* Pasteboard changed] count: ' + count +
  ' hasStrings: ' + Pasteboard.hasStrings().toString() +
  ' hasURLs: ' + Pasteboard.hasURLs().toString() +
  ' hasImages: ' + Pasteboard.hasImages().toString());
  console.log(items);

}, 1000 * 5);
```

## References

* [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-object-persistence-mstg-platform-8](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-object-persistence-mstg-platform-8)
* [https://hackmd.io/@robihamanto/owasp-robi](https://hackmd.io/@robihamanto/owasp-robi)
* [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0073/](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0073/)

<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>

{% embed url="https://websec.nl/" %}


{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

b 2024-07-18 23:16:27 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
b 2024-07-18 23:16:27 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
b 2024-07-18 23:16:27 +00:00			`<summary>Support HackTricks</summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
b 2024-07-18 23:16:27 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
b 2024-07-18 23:16:27 +00:00			`{% endhint %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-05-02 14:18:32 +00:00			`<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>`
w 2024-04-07 22:37:55 +00:00
			`{% embed url="https://websec.nl/" %}`


a 2024-02-08 03:08:28 +00:00			Data sharing within and across applications on iOS devices is facilitated by the [`UIPasteboard`](https://developer.apple.com/documentation/uikit/uipasteboard) mechanism, which is divided into two primary categories:
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-02-08 03:08:28 +00:00			`- Systemwide general pasteboard: This is used for sharing data with any application and is designed to persist data across device restarts and app uninstallations, a feature that has been available since iOS 10.`
			`- Custom / Named pasteboards: These are specifically for data sharing within an app or with another app that shares the same team ID, and are not designed to persist beyond the life of the application process that creates them, following changes introduced in iOS 10.`
GitBook: [master] 7 pages modified 2021-05-21 16:38:18 +00:00
a 2024-02-08 03:08:28 +00:00			`Security considerations play a significant role when utilizing pasteboards. For instance:`
			`- There is no mechanism for users to manage app permissions to access the pasteboard.`
			`- To mitigate the risk of unauthorized background monitoring of the pasteboard, access is restricted to when the application is in the foreground (since iOS 9).`
			`- The use of persistent named pasteboards is discouraged in favor of shared containers due to privacy concerns.`
			`- The Universal Clipboard feature introduced with iOS 10, allowing content to be shared across devices via the general pasteboard, can be managed by developers to set data expiration and disable automatic content transfer.`
GitBook: [master] 7 pages modified 2021-05-21 16:38:18 +00:00
a 2024-02-08 03:08:28 +00:00			`Ensuring that sensitive information is not inadvertently stored on the global pasteboard is crucial. Additionally, applications should be designed to prevent the misuse of global pasteboard data for unintended actions, and developers are encouraged to implement measures to prevent copying of sensitive information to the clipboard.`
GitBook: [master] 7 pages modified 2021-05-21 16:38:18 +00:00
a 2024-02-08 03:08:28 +00:00			`### Static Analysis`
GitBook: [master] 7 pages modified 2021-05-21 16:38:18 +00:00
a 2024-02-08 03:08:28 +00:00			`For static analysis, search the source code or binary for:`
			- `generalPasteboard` to identify usage of the systemwide general pasteboard.
			- `pasteboardWithName:create:` and `pasteboardWithUniqueName` for creating custom pasteboards. Verify if persistence is enabled, though this is deprecated.
GitBook: [master] 7 pages modified 2021-05-21 16:38:18 +00:00
a 2024-02-08 03:08:28 +00:00			`### Dynamic Analysis`
GitBook: [master] 7 pages modified 2021-05-21 16:38:18 +00:00
a 2024-02-08 03:08:28 +00:00			`Dynamic analysis involves hooking or tracing specific methods:`
			- Monitor `generalPasteboard` for system-wide usage.
			- Trace `pasteboardWithName:create:` and `pasteboardWithUniqueName` for custom implementations.
			- Observe deprecated `setPersistent:` method calls to check for persistence settings.
GitBook: [master] 7 pages modified 2021-05-21 16:38:18 +00:00
a 2024-02-08 03:08:28 +00:00			`Key details to monitor include:`
			`- Pasteboard names and contents (for instance, checking for strings, URLs, images).`
			`- Number of items and data types present, leveraging standard and custom data type checks.`
			- Expiry and local-only options by inspecting the `setItems:options:` method.
GitBook: [master] 7 pages modified 2021-05-21 16:38:18 +00:00
a 2024-02-08 03:08:28 +00:00			`An example of monitoring tool usage is objection's pasteboard monitor, which polls the generalPasteboard every 5 seconds for changes and outputs the new data.`
GitBook: [master] 7 pages modified 2021-05-21 16:38:18 +00:00
a 2024-02-08 03:08:28 +00:00			`Here's a simple JavaScript script example, inspired by the objection's approach, to read and log changes from the pasteboard every 5 seconds:`
GitBook: [master] 7 pages modified 2021-05-21 16:38:18 +00:00
			```javascript
			`const UIPasteboard = ObjC.classes.UIPasteboard;`
a 2024-02-08 03:08:28 +00:00			`const Pasteboard = UIPasteboard.generalPasteboard();`
			`var items = "";`
			`var count = Pasteboard.changeCount().toString();`
GitBook: [master] 7 pages modified 2021-05-21 16:38:18 +00:00
			`setInterval(function () {`
a 2024-02-08 03:08:28 +00:00			`const currentCount = Pasteboard.changeCount().toString();`
			`const currentItems = Pasteboard.items().toString();`
GitBook: [master] 7 pages modified 2021-05-21 16:38:18 +00:00
a 2024-02-08 03:08:28 +00:00			`if (currentCount === count) { return; }`
GitBook: [master] 7 pages modified 2021-05-21 16:38:18 +00:00
a 2024-02-08 03:08:28 +00:00			`items = currentItems;`
			`count = currentCount;`
GitBook: [master] 7 pages modified 2021-05-21 16:38:18 +00:00
a 2024-02-08 03:08:28 +00:00			`console.log('[* Pasteboard changed] count: ' + count +`
			`' hasStrings: ' + Pasteboard.hasStrings().toString() +`
			`' hasURLs: ' + Pasteboard.hasURLs().toString() +`
			`' hasImages: ' + Pasteboard.hasImages().toString());`
			`console.log(items);`
GitBook: [master] 7 pages modified 2021-05-21 16:38:18 +00:00
a 2024-02-08 03:08:28 +00:00			`}, 1000 * 5);`
GitBook: [master] 7 pages modified 2021-05-21 16:38:18 +00:00			```

a 2024-02-08 03:08:28 +00:00			`## References`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-02-08 03:08:28 +00:00			`* [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-object-persistence-mstg-platform-8](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#testing-object-persistence-mstg-platform-8)`
			`* [https://hackmd.io/@robihamanto/owasp-robi](https://hackmd.io/@robihamanto/owasp-robi)`
			`* [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0073/](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0073/)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-05-02 14:18:32 +00:00			`<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>`
w 2024-04-07 22:37:55 +00:00
			`{% embed url="https://websec.nl/" %}`


b 2024-07-18 23:16:27 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
b 2024-07-18 23:16:27 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
b 2024-07-18 23:16:27 +00:00			`<summary>Support HackTricks</summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
b 2024-07-18 23:16:27 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
b 2024-07-18 23:16:27 +00:00			`{% endhint %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00