iOS PDF SDK Security

PSPDFKit has been implemented using the latest and best security practices and is used in security-conscious applications.

  • PSPDFKit supports iOS Data Protection.

  • Encrypted PDFs are supported and cannot be accessed without the matching password.

  • PDF passwords are never persisted.

  • The PSPDFAESCryptoDataProvider allows you to access encrypted documents by decrypting only the parts that are required to render the page. The parts are dynamically decrypted in memory instead of the entire file being decrypted.

  • PSPDFDocument can be initialized with an NSData object for custom encryption.

  • Signatures are saved in the secure keychain.

  • Customers are using PSPDFKit with GOOD, Mobile Iron, and AirWatch.

  • Code commits are always peer reviewed and have to pass our large test case set before being merged.

  • We use a large set of compiler warnings and the latest version of Clang Analyzer to detect and fix potential problems before the product is released.

Permissions

PSPDFKit has optional features such as adding images or recording sound annotations. If you allow these in your app, make sure to set the required permissions in your Info.plist file.

Security Exceptions

Client applications can implement a custom PSPDFApplicationPolicy class that manages security-related callbacks. By default, PSPDFKit will use a standard implementation that allows all special actions. However, you can modify this if you are in a restricted environment. The following security actions are currently tracked:

public let PSPDFPolicyEventOpenIn: String
public let PSPDFPolicyEventPrint: String
public let PSPDFPolicyEventEmail: String
public let PSPDFPolicyEventMessage: String
public let PSPDFPolicyEventQuickLook: String
public let PSPDFPolicyEventAudioRecording: String
public let PSPDFPolicyEventCamera: String
public let PSPDFPolicyEventPhotoLibrary: String
public let PSPDFPolicyEventPasteboard: String // includes Copy/Paste
public let PSPDFPolicyEventSubmitForm: String
public let PSPDFPolicyEventNetwork: String
PSPDF_EXPORT NSString *const PSPDFPolicyEventOpenIn;
PSPDF_EXPORT NSString *const PSPDFPolicyEventPrint;
PSPDF_EXPORT NSString *const PSPDFPolicyEventEmail;
PSPDF_EXPORT NSString *const PSPDFPolicyEventMessage;
PSPDF_EXPORT NSString *const PSPDFPolicyEventQuickLook;
PSPDF_EXPORT NSString *const PSPDFPolicyEventAudioRecording;
PSPDF_EXPORT NSString *const PSPDFPolicyEventCamera;
PSPDF_EXPORT NSString *const PSPDFPolicyEventPhotoLibrary;
PSPDF_EXPORT NSString *const PSPDFPolicyEventPasteboard; // includes Copy/Paste
PSPDF_EXPORT NSString *const PSPDFPolicyEventSubmitForm;
PSPDF_EXPORT NSString *const PSPDFPolicyEventNetwork;
class DisallowCopyApplicationPolicy: NSObject, PSPDFApplicationPolicy {

    func hasPermission(forEvent event: String, isUserAction: Bool) -> Bool {
        if event == PSPDFPolicyEventPasteboard {
            return false
        }
        return true
    }

}
@interface PSCDisallowCopyApplicationPolicy : NSObject <PSPDFApplicationPolicy> @end

@implementation PSCDisallowCopyApplicationPolicy

- (BOOL)hasPermissionForEvent:(NSString *)event isUserAction:(BOOL)isUserAction {
    if ([event isEqualToString:PSPDFPolicyEventPasteboard]) {
        return NO;
    }
    return YES;
}

@end

You can register a custom PSPDFApplicationPolicy instance by calling +[PSPDFKitGlobal setLicenseKey:options:]. PSPDFKit expects your instance to be set in the options dictionary under the PSPDFApplicationPolicyKey key.

Cache

Rendered pages will be cached to disk by default to ensure fast display and browsing. The disk cache can be customized on a per-document level via the useDiskCache property and for a data provider, and it can also be disabled globally by setting its allowedDiskSpace to 0.

Please refer to the Rendering PDF Pages guide for more details.

There are also specific hooks to add a custom crypto layer to the disk cache. See decryptionHelper and encryptionHelper.

Implementing a custom crypto layer might decrease performance slightly, but is hardly noticeable on modern devices. PSPDFKit Catalog contains sample code using the open source RNCryptor.

  • PSPDFKit might keep parts of extracted text, annotations, or passwords in memory to perform the requested operations. If rogue code has access to your application’s memory, there is nothing you can do and the device has already been compromised. This could happen if a device is jailbroken.

  • Taking a screenshot cannot be prevented on iOS. There is a UIApplicationUserDidTakeScreenshotNotification notification that is sent when the user takes a screenshot using the Lock+Home Button combination, however, there are other ways to make screenshots that won’t emit such a notification (like using Xcode’s Device Manager).

  • Using PSPDFDocument with data in memory using PSPDFDataContainerProvider will only work for documents that are small enough to fit into the available process memory space. This is device and state dependent. When saving annotations, the NSData object is mutated, and you can use the document delegate pdfDocumentDidSave: to save the data object back to your (encrypted) disk store. However, it is strongly recommended to use PSPDFAESCryptoDataProvider or a custom implementation of PSPDFDataProviding to avoid loading the entire file in memory.

Network Access

PSPDFKit only performs network access when required for following actions:

  • Submitting a PDF form

  • Accessing images/videos/audio from the gallery (www.youtube.com, img.youtube.com)

  • Looking up text in Wikipedia (%@.m.wikipedia.org)

  • Using iOS Simulator

  • Simple analytics for demo, nightly, and beta builds/licenses (pspdfkit.com, pspdfkit-license-service-%u.com)

  • Via the inline web browser if a URL was tapped (PSPDFWebViewController)

  • Verifying the timestamp of a digital signature (via Botan)

Production license verification happens offline and does not ping our servers.

Data Collection Practices

PSPDFKit doesn’t collect any data from production applications. See the PSPDFKit SDK Privacy Practices sheet for more information.

When using PSPDFKit Instant, user data such as the user ID and name (i.e. the annotation author name) will be sent to the Instant server. User photos can be uploaded as well if the user is creating image annotations, and user audio recordings can be uploaded when sound annotations are used. Since the Instant server is self-hosted, this data never reaches any PSPDFKit servers.

Copy Text

PDF documents have a flag that indicates if copying text is allowed, which is reflected in the PSPDFDocumentPermissionsExtract flag in the permissions property of PSPDFDocument. This is a read-only property that cannot be changed.

To disable copying text when the PDF allows it, implement the PSPDFApplicationPolicy protocol in a custom class as explained above.

Cryptographic Libraries

PSPDFKit for iOS uses the Apple-provided CommonCrypto library for AES-256 decryption, licensing, Digital Signatures, and some platform-specific functionality. In addition, it uses the Botan library for licensing and Digital Signatures, and it also relies on a few document encryption routines provided by the PDFium library.

For the complete list of third-party libraries used in PSPDFKit for iOS, check out the acknowledgements.