Sensitive data stored in keyboard cache

Sensitive data stored in keyboard cache

Risk: low

Description

iOS stores almost all non-numeric words in the keyboard cache. Sensitive information like login or passwords may leak if the auto-correction the feature is not disabled.

Recommendation

Keyboard caching is caused by the UITextInputTraits protocol supported by UITextField, UITextView and UISearchBar.

• var autocorrectionType: UITextAutocorrectionType determines whether auto-correction is enabled during typing. When auto-correction is enabled, the text object tracks unknown words and suggests suitable replacements, replacing the typed text automatically unless the user overrides the replacement. The default value of this property is UITextAutocorrectionTypeDefault, which for most input methods enables auto-correction.

• var secureTextEntry: BOOL determines whether text copying and caching are disabled and hides the text being entered for UITextField. The default value of this property is NO.

textInput.autocorrectionType = UITextAutocorrectionTypeNo;
textInput.secureTextEntry = YES;

Links

• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
• OWASP: Finding Sensitive Data in Keyboard Cache

Standards

• OWASP_MASVS_L1:
  • MSTG_STORAGE_5
• OWASP_MASVS_L2:
  • MSTG_STORAGE_5