iTunes UI File Sharing Enabled

iTunes UI File Sharing Enabled

Risk: low

Description

When file sharing is enabled, UIFileSharingEnabled is set to true, and the entire Documents folder is used for file sharing.

Files not intended for user access via the file sharing feature should be stored in another part of the application's bundle. An attacker can use physical access to the iOS device to gain access to them by abusing the file sharing feature in the application.

Recommendation

To ensure sensitive files are not leaked through file sharing:

• Make sure files containing sensitive information are not copied to the Documents directory.
• If your app does not need this functionality, set the UIFileSharingEnabled flag in the Info.plist file to false or delete the option.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <!-- Other keys and values in your Info.plist file -->

    <key>UIFileSharingEnabled</key>
    <false/>

    <!-- Other keys and values in your Info.plist file -->
</dict>
</plist>

Links

• Common Weakness Enumeration CWE-359
• Apple Developer documentation

Standards

• OWASP_MASVS_L1:
  • MSTG_STORAGE_6
• OWASP_MASVS_L2:
  • MSTG_STORAGE_6
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_3_5
  • REQ_6_2
• OWASP_MASVS_v2_1:
  • MASVS_PLATFORM_1
• SOC2_CONTROLS:
  • CC_2_1
  • CC_4_1
  • CC_7_1
  • CC_7_2
  • CC_7_4
  • CC_7_5