Sunday, December 21, 2014

iPhone security, App Switcher, and Snapshot Cache

In order to provide a smooth and fluid user experience on resource limited hardware IOS on mobile Apple devices takes a "snapshot" of the application's view anytime the application is suspended. This snapshot is then displayed when starting or switching back to the application. This gives the impression that the application starts up much faster than it actually does. This snapshot is also used as the application's thumbnail in the system's App Switcher view.

This is a great feature that we take for granted and rarely notice. It does however present a privacy and security risk. Apps that display private data can leak this data via these snapshots. Then an application, such as iFunBox, can be used to collect the snapshots and gather the leaked data; even non-Jailbroken phones are vulnerable.

This data leaking is preventable be individual applications but many have not  secured against this. Some most notable applications that do not protect data are web browsers including Safari and Chrome even when in Private Browsing mode.

You can disable the system's ability to save these snapshots if you have a Jailbroken device. It is simply a matter of replacing the appropriate snapshot folders with a symbolic link to /dev/null.

The snapshots are stored in two different areas. There is a general snapshot folder and a snapshot folder for each application in its data folder.

Many application snapshots are stored in a general location at:


The rest are stored on an app by app basis in the application's data folder found at:

/var/mobile/Containers/Data/Application/<App GUID>/Library/Caches/Snapshots

Finding the application's Guid can be tricky but a good file manager, like Filza, can make this trivial.

Delete the Snapshots folder and create a symlink to /dev/null so the snapshots written to this folder are simply discarded.

The commands for creating the symbolic links can be found at

# rm -rf /var/mobile/Library/Caches/Snapshots
# ln -s /dev/null /var/mobile/Library/Caches/Snapshots
Modify these commands as needed for each application or use your file manager to create the symbol links. 

No comments:

Post a Comment