Handoff is the Continuity feature that lets a user start something on their iPhone and pick it up on their iPad or Mac, the activity follows them across their devices. You implement it with NSUserActivity, the same object that drives Spotlight search and Siri suggestions, and that is where a data consideration hides: an activity marked eligible for Handoff is transmitted to the user's other devices, along with whatever payload you attached to it. If that payload carries more than it should, you have sent sensitive data off the device. The fix is to be deliberate about what an activity carries and which activities are eligible. Here is what Handoff is, where data can travel, and how to use it safely.
Short answer
Handoff is an iOS Continuity feature that transfers an in-progress activity to a user's other nearby devices, implemented with NSUserActivity. Per Apple, an activity marked eligible for Handoff is sent to the user's other devices along with its payload, the userInfo dictionary and any associated URL, so whatever you put in that payload travels off the originating device. The consideration is to keep sensitive data out of activity payloads, mark only appropriate activities eligible for Handoff, and not treat an activity as a place to carry secrets. Handoff occurs between a user's own devices through Apple's mechanism, but minimizing the activity payload is still the right practice, so that what is transferred is only what continuation needs. Be deliberate about what each activity carries and which are eligible.
What you should know
- Handoff transfers an activity across devices: via
NSUserActivity. - The activity payload travels with it: the
userInfoand any URL. NSUserActivityis multi-purpose: it also drives search and Siri suggestions.- Keep sensitive data out of the payload: carry only what continuation needs.
- Mark eligibility deliberately: only appropriate activities for Handoff.
What is Handoff and NSUserActivity?
Handoff is the part of Continuity that lets an activity move between a user's devices, and NSUserActivity is how you describe that activity. When the user is doing something in your app, you create an NSUserActivity representing it, give it a type and a payload, and mark how it can be used, eligible for Handoff, for search, or for public indexing. If it is eligible for Handoff, the system makes it available on the user's other nearby devices signed into the same account, so they can continue where they left off, and to do that it transfers the activity, including its userInfo dictionary and any associated web page URL, to those devices. The same NSUserActivity object is reused across several iOS features, Handoff continuation, Spotlight search indexing, and Siri suggestions, so the eligibility flags you set determine where the activity, and its payload, can go. The payload is the thing to be careful with, because whatever you attach is what gets carried wherever the activity is eligible to travel.
Where can data travel?
Wherever the activity is eligible to go, carrying its payload. The table lists the paths.
| Path | What is involved |
|---|---|
| Handoff to other devices | The activity payload transferred to the user's devices |
userInfo payload | The dictionary attached to the activity |
| Associated web page URL | A URL that can open on the continuing device |
| Activity persistence | An activity restored later carries its payload |
| Search and public indexing | Other eligibility flags exposing activity content |
The Handoff path transfers the activity payload to the user's other devices, so the userInfo dictionary and any associated URL are what move; if those carry sensitive data beyond what continuation requires, that data travels off the originating device. The associated web page URL is worth noting because it can open on the continuing device, including in a browser if the app is not installed there. Activities can also be persisted and restored later, so a payload lives beyond the moment. And because the same NSUserActivity can be marked eligible for search and public indexing, the other flags expose the activity's content to the on-device search index and, with public indexing, Apple's server-side index, which are separate exposure paths from Handoff. The common factor is the activity payload: it goes wherever you make the activity eligible to go.
How do you use it safely?
Minimize the payload, and set eligibility deliberately. Put only what continuation genuinely needs into an activity's userInfo, an identifier or reference that lets the other device reconstruct the state, rather than embedding sensitive data directly, so that even as the payload travels it carries the minimum. Keep secrets, tokens, credentials, keys, out of activities entirely, since an activity is not a secure transport for them. Mark an activity eligible for Handoff only when continuing it on another device makes sense, and similarly set the search and public-indexing flags deliberately rather than enabling them by default, since each is a different exposure path; for a sensitive activity, leave the eligibility flags off. Be careful with the associated web page URL, ensuring it does not carry sensitive parameters, since it can open on another device. Invalidate or update activities when the underlying state changes so a stale payload is not continued. The principle is that an NSUserActivity should carry the least information needed to resume, and be eligible to travel only where it should, so Handoff stays a convenience rather than a data-leak path.
What to watch out for
The first trap is putting sensitive data directly in an activity's userInfo, which then travels with Handoff to the user's other devices; carry a reference and minimize the payload. The second is enabling search or public indexing on activities by default, exposing their content through those separate paths. The third is a web page URL that carries sensitive parameters and can open elsewhere. NSUserActivity usage is something you configure in your app, so a pre-submission scan such as PTKD.com (https://ptkd.com), which reads the compiled IPA against OWASP MASVS, assesses your app's data handling and privacy posture, while the choice of what an activity carries and where it is eligible is yours to make in code.
What to take away
- Handoff transfers an in-progress activity to a user's other devices via
NSUserActivity, carrying the activity'suserInfopayload and any associated URL off the originating device. - The same
NSUserActivitydrives Handoff, search, and Siri suggestions, so its eligibility flags and payload determine where the activity and its data can travel. - Use it safely by minimizing the payload to what continuation needs, keeping secrets out of activities, setting eligibility flags deliberately, and being careful with the associated URL.
- Use a pre-submission scan such as PTKD.com to assess your app's data handling and privacy posture, and keep activity payloads minimal in your code.
