iOS Sensitive data stored in keyboard cache

iOS Sensitive data stored in keyboard cache

Risk: low

Description

iOS stores almost all non-numeric words in the keyboard cache. Sensitive information like login or passwords may leak if the auto-correction the feature is not disabled.

Recommendation

Keyboard caching is caused by the UITextInputTraits protocol supported by UITextField, UITextView and UISearchBar.

To prevent keyboard caching from leaking input of sensitive fields, consider:

• autocorrectionType determines whether auto-correction is enabled during typing. The default value of this property is UITextAutocorrectionTypeDefault, which for most input methods enables auto-correction.

let textField = UITextField(frame: CGRect(x: 0, y: 0, width: 200, height: 40))
textField.autocorrectionType = .no // Disable autocorrection

• isSecureTextEntry determines whether text copying and caching are disabled and hides the text being entered for UITextField. The default value of this property is NO.

let textField = UITextField(frame: CGRect(x: 0, y: 0, width: 200, height: 40))
textField.isSecureTextEntry = true // Enable secure text entry

Links

• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
• OWASP: Finding Sensitive Data in Keyboard Cache

Standards

• OWASP_MASVS_L1:
  • MSTG_STORAGE_5
• OWASP_MASVS_L2:
  • MSTG_STORAGE_5
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_3_2
  • REQ_3_3
  • REQ_3_5
  • REQ_6_2
• OWASP_MASVS_v2_1:
  • MASVS_STORAGE_1
  • MASVS_STORAGE_2