iOS Sensitive data stored in keyboard cache
iOS Sensitive data stored in keyboard cache
Description
iOS stores almost all non-numeric words in the keyboard cache. Sensitive information like login or passwords may leak if the auto-correction the feature is not disabled.
Recommendation
Keyboard caching is caused by the UITextInputTraits protocol supported by UITextField, UITextView and UISearchBar.
-
var autocorrectionType: UITextAutocorrectionTypedetermines whether auto-correction is enabled during typing. When auto-correction is enabled, the text object tracks unknown words and suggests suitable replacements, replacing the typed text automatically unless the user overrides the replacement. The default value of this property isUITextAutocorrectionTypeDefault, which for most input methods enables auto-correction. -
var secureTextEntry: BOOLdetermines whether text copying and caching are disabled and hides the text being entered forUITextField. The default value of this property isNO.
textInput.autocorrectionType = UITextAutocorrectionTypeNo;
textInput.secureTextEntry = YES;
Links
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- OWASP: Finding Sensitive Data in Keyboard Cache
Standards
- OWASP_MASVS_L1:
- MSTG_STORAGE_5
- OWASP_MASVS_L2:
- MSTG_STORAGE_5
- PCI_STANDARDS:
- REQ_2_2
- REQ_3_2
- REQ_3_3
- REQ_3_5
- REQ_6_2