Spotlight & Handoff Suppression

Plan	Platforms	MASVS
Team	iOS	MASVS-STORAGE-2, MASVS-PLATFORM-3

Overview

Spotlight & Handoff Suppression prevents your application's activities and content from being indexed for iOS Spotlight search and from being shared across devices via Handoff. When enabled, the control transparently forces all NSUserActivity eligibility flags to false and no-ops Core Spotlight indexing APIs, ensuring that sensitive application data never leaks into the system search index or appears on other devices signed into the same iCloud account.

This control is essential for healthcare, financial, enterprise, and any application where user activities or searchable content should remain strictly private and confined to the device where the app is actively running.

How It Works

The control operates at runtime by intercepting two iOS API families:

NSUserActivity Hardening

When your app creates or updates an NSUserActivity instance (used for Spotlight, Handoff, Siri Suggestions, and Shortcuts), the control automatically:

Forces eligibleForSearch → false (prevents Spotlight indexing)
Forces eligibleForHandoff → false (prevents cross-device continuity)
Forces eligibleForPublicIndexing → false (prevents Apple's cloud search index)
Forces eligibleForPrediction → false (prevents Siri Suggestions, iOS 12+)

These flags are stripped before the activity becomes current, ensuring no data reaches Apple's indexing infrastructure.

Core Spotlight No-Op

When your app attempts to directly index content via CSSearchableIndex:

indexSearchableItems:completionHandler: → no-op (completion handler called with nil error)
beginIndexBatch → no-op
endIndexBatchWithClientState:completionHandler: → no-op (completion handler called with nil error)

Important: Deletion methods (deleteSearchableItemsWithIdentifiers:, deleteAllSearchableItemsWithCompletionHandler:) are not intercepted, allowing a previously-installed app to purge its legacy index when this control is enabled in an update.

Threats Mitigated

Threat	Mitigation
System Search Leakage	Prevents sensitive strings (account numbers, patient names, document titles) from appearing in iOS Spotlight search results where unauthorized users with device access could discover them
Cross-Device Activity Sharing	Blocks Handoff from broadcasting user activities to other devices signed into the same iCloud account (Mac, iPad, iPhone), reducing the attack surface if one device is compromised
Siri Suggestions Exposure	Prevents sensitive app activities from appearing in Siri Suggestions on the lock screen, Spotlight, or Safari
Cloud Search Index	Blocks Apple's optional public indexing, ensuring app content never reaches Apple's servers

Use Cases

This control is recommended for applications where:

User activities contain sensitive identifiers: Banking apps where search results might reveal account numbers or transaction details
Document titles are confidential: Healthcare apps indexing patient records by name
Cross-device sharing is a policy violation: Enterprise apps that must not allow Handoff to personal devices
App usage patterns are sensitive: Legal, HR, or investigative applications where even the existence of certain activities is confidential

Caveats

Legitimate Feature Impact

Applications that intentionally use Spotlight search or Handoff must carefully evaluate this control:

Productivity apps that rely on Spotlight to find documents, notes, or emails will have this functionality disabled
Navigation and food delivery apps that use Handoff to continue activities on other devices will lose cross-device continuity
Content apps (news, shopping, media) that index articles or products for user convenience will have no searchable content

Recommendation: Enable this control only for applications where privacy requirements outweigh the user experience benefits of Spotlight and Handoff. For mixed-sensitivity apps, consider segmenting content and enabling the control conditionally per-session or per-user role.

Known Limitations

SiriKit Direct Donations: INInteraction.donate() and INIntent.donate() (used for Siri Shortcuts) bypass NSUserActivity and are out of scope for this control. Apps that donate intents directly to SiriKit will still appear in Siri Suggestions.

NSUserActivity Subclass Overrides: If your app or a third-party library subclasses NSUserActivity and overrides -becomeCurrent and the four setEligibleFor*: setters without calling super, the control cannot intercept those methods. This is a rare edge case but a documented limitation.

CSImportExtension Out-of-Process: Spotlight import extensions (CSImportExtension) run in a separate process managed by iOS and are not covered by in-app runtime controls.

Support Matrix

Platform	Minimum Version	Availability
iOS	iOS 12.0+	✅ Team, Enterprise
Android	—	❌ Not applicable (Android has separate content indexing APIs)

iOS 12.0+ Requirement: The control requires eligibleForPrediction (iOS 12.0+) for comprehensive coverage. Deployment targets below iOS 12.0 will omit Siri Suggestions suppression but Spotlight/Handoff blocking will still function on iOS 11.

How to Enable the Control

Navigate to Preventative Controls from the AppTego portal, and expand the Data Sharing Protection section. Under this section you will find the Spotlight And Handoff Suppression control. Click Enable to enable it for the next build or for it to be applied with a live push (if enabled).

API Configuration Example

{
  "SpotlightIndexingPrevention": {
    "protection": true,
    "detection": false
  }
}

protection: true — Force all eligibility flags to false and no-op Core Spotlight indexing (recommended for sensitive apps)
protection: false — Allow normal Spotlight and Handoff behavior
detection — Currently unused; included for future detection capabilities

Plan Requirement

Plan	Available
Free	❌
Team	✅
Enterprise	✅