iOS PDF SDK Security

PSPDFKit has been implemented using the latest and best security practices and is used in security-conscious applications.

• PSPDFKit supports iOS Data Protection.

• Encrypted PDFs are supported and cannot be accessed without the matching password.

• PDF passwords are never persisted.

• AESCryptoDataProvider allows you to access encrypted documents by decrypting only the parts that are required to render the page. The parts are dynamically decrypted in memory instead of the entire file being decrypted.

• Document can be initialized with a Data object for custom encryption.

• Signatures are saved in the secure keychain.

• Customers are using PSPDFKit with GOOD, Mobile Iron, and AirWatch.

• Code commits are always peer reviewed and have to pass our large test case set before being merged.

• We use a large set of compiler warnings and the latest version of Clang Analyzer to detect and fix potential problems before the product is released.

Permissions

PSPDFKit has optional features, including adding images or recording sound annotations. If you allow these in your app, make sure to set the required permissions in your Info.plist file.

Security Exceptions

Client applications can implement a custom ApplicationPolicy class that manages security-related callbacks. By default, PSPDFKit will use a standard implementation that allows all special actions. However, you can modify this if you’re in a restricted environment. The following security actions are currently tracked:

public let .openIn: PolicyEvent
public let .print: PolicyEvent
public let .email: PolicyEvent
public let .message: PolicyEvent
public let .quickLook: PolicyEvent
public let .audioRecording: PolicyEvent
public let .camera: PolicyEvent
public let .photoLibrary: PolicyEvent
public let .pasteboard: PolicyEvent // includes Copy/Paste
public let .submitForm: PolicyEvent
public let .network: PolicyEvent

PSPDF_EXPORT PSPDFPolicyEvent const PSPDFPolicyEventOpenIn;
PSPDF_EXPORT PSPDFPolicyEvent const PSPDFPolicyEventPrint;
PSPDF_EXPORT PSPDFPolicyEvent const PSPDFPolicyEventEmail;
PSPDF_EXPORT PSPDFPolicyEvent const PSPDFPolicyEventMessage;
PSPDF_EXPORT PSPDFPolicyEvent const PSPDFPolicyEventQuickLook;
PSPDF_EXPORT PSPDFPolicyEvent const PSPDFPolicyEventAudioRecording;
PSPDF_EXPORT PSPDFPolicyEvent const PSPDFPolicyEventCamera;
PSPDF_EXPORT PSPDFPolicyEvent const PSPDFPolicyEventPhotoLibrary;
PSPDF_EXPORT PSPDFPolicyEvent const PSPDFPolicyEventPasteboard; // includes Copy/Paste
PSPDF_EXPORT PSPDFPolicyEvent const PSPDFPolicyEventSubmitForm;
PSPDF_EXPORT PSPDFPolicyEvent const PSPDFPolicyEventNetwork;

class DisallowCopyApplicationPolicy: NSObject, ApplicationPolicy {

    func hasPermission(forEvent event: PolicyEvent, isUserAction: Bool) -> Bool {
        if event == .pasteboard {
            return false
        }
        return true
    }

}

@interface PSCDisallowCopyApplicationPolicy : NSObject <PSPDFApplicationPolicy> @end

@implementation PSCDisallowCopyApplicationPolicy

- (BOOL)hasPermissionForEvent:(PSPDFPolicyEvent)event isUserAction:(BOOL)isUserAction {
    if ([event isEqualToString:PSPDFPolicyEventPasteboard]) {
        return NO;
    }
    return YES;
}

@end

You can register a custom ApplicationPolicy instance by calling SDK.setLicenseKey(_:options:). PSPDFKit expects your instance to be set in the options dictionary under the SDK.Setting.applicationPolicy key.

Cache

Rendered pages will be cached to disk by default to ensure fast display and browsing. The disk cache can be customized on a per-document level via the useDiskCache property and for a data provider, and it can also be disabled globally by setting its allowedDiskSpace to 0.

Please refer to the rendering PDF pages guide for more details.

There are also specific hooks to add a custom crypto layer to the disk cache. See decryptionHelper and encryptionHelper.

Implementing a custom crypto layer might decrease performance slightly, but it’s hardly noticeable on modern devices. PSPDFKit Catalog contains sample code using the open source RNCryptor.

Security-Related Considerations

• PSPDFKit might keep parts of extracted text, annotations, or passwords in memory to perform the requested operations. If rogue code has access to your application’s memory, there’s nothing you can do and the device has already been compromised. This could happen if a device is jailbroken.

• Taking a screenshot cannot be prevented on iOS. There’s a UIApplicationUserDidTakeScreenshotNotification notification that’s sent when the user takes a screenshot using the Lock+Home Button combination, however, there are other ways to make screenshots that won’t emit such a notification (like using Xcode’s Device Manager).

• Using Document with data in memory using DataContainerProvider will only work for documents that are small enough to fit into the available process memory space. This is device and state dependent. When saving annotations, the NSData object is mutated, and you can use the document delegate pdfDocumentDidSave(_:) to save the data object back to your (encrypted) disk store. However, it’s strongly recommended to use AESCryptoDataProvider or a custom implementation of DataProviding to avoid loading the entire file in memory.

Network Access

PSPDFKit only performs network access when required for following actions:

• Submitting a PDF form

• Accessing images/videos/audio from the gallery (www.youtube.com, img.youtube.com)

• Looking up text in Wikipedia (%@.m.wikipedia.org)

• Via the inline web browser if a URL was tapped (WebViewController)

• Adding or verifying digital signatures:

  • Verifying the timestamp of a digital signature (via Botan)

  • Adding a timestamp to a digital signature (when SigningConfiguration.timeStampSource is set while signing)

  • Adding LTV information when signing a document (if SigningConfiguration.isLongTermValidationEnabled is enabled while signing)

  • Checking the revocation status for a digital signature (in PDFSignatureValidator and SignedFormElementViewController)

Production license verification happens offline and does not ping our servers.

Data Collection Practices

PSPDFKit doesn’t collect any data from production applications. Refer to our Privacy Policy for more information.

When using PSPDFKit Instant, user data such as the user ID and name (i.e. the annotation author name) will be sent to the Instant server. User photos can be uploaded as well if the user is creating image annotations, and user audio recordings can be uploaded when sound annotations are used. Since the Instant server is self-hosted, this data never reaches any PSPDFKit servers.

Copy Text

PDF documents have a flag that indicates if copying text is allowed, which is reflected in the DocumentPermissions.extract flag in the permissions property of Document. This is a read-only property that cannot be changed.

To disable copying text when a PDF allows it, implement the ApplicationPolicy protocol in a custom class as explained above.

Cryptographic Libraries

PSPDFKit for iOS uses the Apple-provided CommonCrypto library for AES-256 decryption, licensing, Digital Signatures, and some platform-specific functionality. In addition, it uses the Botan library for licensing and Digital Signatures, and it also relies on a few document encryption routines provided by the PDFium library.

For the complete list of third-party libraries used in PSPDFKit for iOS, check out the acknowledgements.