Privacy

    The iOS Spotlight indexing data leak

    A 2026 view of the iOS Spotlight indexing leak where sensitive app content indexed via Core Spotlight becomes searchable on the device, contrasted with indexing only non-sensitive content

    Making your app's content searchable from the iOS home screen is a nice feature: a user types a few letters in Spotlight and finds the note, message, or item inside your app. You enable it by indexing content with Core Spotlight or marking activities as searchable. But indexing is also a quiet data-leakage path: whatever you put in the search index becomes findable on the device, shows snippets in search results, and is stored in the system index on disk, and some activity options even send content to Apple for public indexing. Index the wrong thing and sensitive data ends up searchable to anyone holding the device. Here is what gets indexed and how to do it safely.

    Short answer

    iOS lets apps index their content for device search using Core Spotlight (CSSearchableItem) and searchable NSUserActivity, so the content appears in Spotlight results. Per Apple, anything you index becomes searchable on the device, displays snippets in results, and is stored in the on-device search index, and an NSUserActivity marked eligible for public indexing can be sent to Apple's server-side index. The leak is indexing sensitive content, private messages, financial or health data, personal details, which then surfaces in search to anyone with the device, and persists in the index. The fix is to not index sensitive content, mark sensitive activities as not eligible for search or public indexing, and remove indexed items on logout. Index only what is safe to be found.

    What you should know

    • Apps index content for Spotlight: via Core Spotlight and NSUserActivity.
    • Indexed content becomes searchable: findable on the device with snippets.
    • The index is stored on disk: persisting as data at rest.
    • Public indexing can reach Apple: an activity option sends content server-side.
    • Index only non-sensitive content: and remove items on logout.

    What gets indexed?

    Content you explicitly hand to the search system. There are two main paths. Core Spotlight lets you create searchable items, CSSearchableItem, with attributes like a title, description, and other metadata, and add them to the on-device index so they appear when the user searches; this is how an app makes its internal content, notes, messages, records, findable from Spotlight. The other path is NSUserActivity: when you mark an activity as eligible for search, its content can be indexed too, and if you additionally mark it eligible for public indexing, that signals the content can be added to Apple's server-side index, beyond the device. Both are opt-in, you choose what to index, which is exactly why the leak is a developer decision rather than a default behavior: nothing forces sensitive content into the index, but it is easy to index broadly, or to index a screen's content without thinking about whether it is sensitive.

    Where does the leak happen?

    In several places once content is indexed. The table lists them.

    SurfaceExposure
    Device Spotlight searchIndexed content is findable, with snippets shown
    On-device search indexContent persists in the index, as data at rest
    Public indexingAn activity eligible for public indexing can reach Apple
    Handoff and activitiesActivity content can move to the user's other devices
    Shared device in useAnyone using the device can search it

    The most direct exposure is that indexed content is searchable on the device and shows snippets in results, so anyone using the device, including someone other than the owner, can surface it by typing a query, which matters for private messages, financial figures, or health information. The index is also stored on disk, so indexed content joins the data-at-rest surface and persists even after the in-app view is gone. Marking an activity eligible for public indexing extends the reach to Apple's server-side index, and NSUserActivity can also drive Handoff, moving activity content to the user's other devices. Each is a place sensitive indexed content can show up beyond the in-app screen you intended.

    How do you index safely?

    Index only non-sensitive content, and control activity options and lifecycle. Start by deciding what is safe to be found in device search: index content that the user would expect and want to be searchable, and do not index sensitive content, private communications, financial or health data, personal identifiers, or anything that should not appear in a search anyone with the device can run. For NSUserActivity, mark sensitive activities as not eligible for search, and be especially careful with public indexing, only marking content eligible for public indexing when it is genuinely public, since that can send it to Apple's index. Manage the lifecycle: remove indexed items when they no longer apply, and clear a user's indexed content on logout so it does not linger in the index or surface for the next person using the device. Treat the search index as part of your data-at-rest footprint, since it persists on disk. The principle is that indexing is publishing to device search, so only publish what is safe to be found, and clean up what should no longer be there.

    What to watch out for

    The first trap is indexing sensitive content for searchability, which then surfaces in Spotlight to anyone with the device; index only non-sensitive content. The second is marking activities eligible for public indexing without realizing it can send content to Apple's server-side index. The third is leaving a user's indexed items in place after logout, where they persist and can surface for the next user. Indexing is something you configure in your app, so a pre-submission scan such as PTKD.com (https://ptkd.com), which reads the compiled IPA against OWASP MASVS, assesses your app's data-at-rest and privacy posture, the storage surface the search index belongs to, while the decision of what to index is yours to make in code.

    What to take away

    • iOS apps index content for Spotlight with Core Spotlight (CSSearchableItem) and searchable NSUserActivity, and indexed content becomes searchable, shows snippets, and persists in the on-device index.
    • The leak is indexing sensitive content, which then surfaces in device search to anyone with the device, persists as data at rest, and, with public indexing, can reach Apple's server-side index.
    • Index only non-sensitive content, mark sensitive activities as not eligible for search or public indexing, and remove indexed items on logout.
    • Treat the search index as part of your data-at-rest footprint, and use a pre-submission scan such as PTKD.com to assess your storage and privacy posture.
    • #ios
    • #spotlight
    • #core-spotlight
    • #nsuseractivity
    • #data-leakage
    • #privacy
    • #app-security

    Frequently asked questions

    How does iOS index my app's content for search?
    Through two opt-in paths. Core Spotlight lets you create searchable items (CSSearchableItem) with attributes like a title and description and add them to the on-device index, so your app's internal content becomes findable from Spotlight. NSUserActivity is the other path: marking an activity eligible for search lets its content be indexed, and marking it eligible for public indexing signals it can be added to Apple's server-side index. Both are choices you make, which is why indexing sensitive content is a developer decision rather than a default behavior.
    What is the data-leak risk of Spotlight indexing?
    Indexed content becomes searchable on the device and shows snippets in results, so anyone using the device, including someone other than the owner, can surface it by typing a query, which matters for private messages, financial figures, or health data. The index is also stored on disk, so indexed content joins your data-at-rest surface and persists after the in-app view is gone. Public indexing can extend the reach to Apple's server-side index, and NSUserActivity can drive Handoff to the user's other devices.
    What is eligibleForPublicIndexing?
    It is an NSUserActivity option that signals the activity's content can be added to Apple's server-side, public search index, beyond just the user's device. That extends the reach of the content well past the local device, so you should only mark content eligible for public indexing when it is genuinely public and meant to be discoverable broadly. Marking sensitive or user-private content eligible for public indexing is a leak, so for anything sensitive, mark the activity as not eligible for search and not eligible for public indexing.
    How do I index content without leaking sensitive data?
    Index only content that is safe to be found in device search, and skip sensitive content like private communications, financial or health data, and personal identifiers. For NSUserActivity, mark sensitive activities as not eligible for search, and be careful with public indexing. Manage the lifecycle: remove indexed items when they no longer apply, and clear a user's indexed content on logout so it does not linger or surface for the next person using the device. Treat the index as part of your data-at-rest footprint since it persists on disk.
    Does a scan check Spotlight indexing?
    Indexing is something you configure in your app code, deciding what content to add to the search index, so the choice of what to index is yours. A pre-submission scan such as PTKD.com reads the compiled IPA against OWASP MASVS and assesses your app's data-at-rest and privacy posture, which is the storage surface the on-device search index belongs to. That helps you think about where sensitive data persists, while the specific decision to exclude sensitive content from indexing and to clear items on logout is implemented in your code.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free