Episode Details

This story was originally published on HackerNoon at: https://hackernoon.com/i-hid-a-watermark-in-screenshots-and-ios-thought-it-was-a-password.
Exploiting iOS's secure text entry to build a watermark that only appears in screenshots, and the password-autofill bug it caused.
Check more stories related to programming at: https://hackernoon.com/c/programming. You can also check exclusive content about #ios-development, #ios-screenshot-watermark, #viral-growth-mechanics, #product-led-growth-tactics, #uikit-rendering-behavior, #mobile-app-attribution, #ios-development-hacks, #hackernoon-top-story, and more.

This story was written by: @grievouz. Learn more about this writer by checking @grievouz's about page, and for more stories, please visit hackernoon.com.

Screenshots were the app's biggest sign-up channel, so I built a watermark that's invisible in the app but appears when users take a screenshot, using iOS's secure text entry flag, which strips content from screenshots to protect passwords. It worked. It also made iOS think every chat message was a password field, breaking autocorrect and triggering "Save to Keychain" prompts. Fix: drop the UITextField entirely and set the underlying disableUpdateMask flag directly on a CALayer via reflection (with the private-API name base64-encoded to survive App Store review). Same screenshot-hiding behavior, no password heuristic firing. Lesson: iOS has way more hidden heuristics reading your view hierarchy than you'd expect, and private APIs are a recurring tax, not a one-time cost.