Sensitive data stored in keyboard cache
Sensitive data stored in keyboard cache
Description
iOS stores almost all non-numeric words in the keyboard cache. Sensitive information like login or passwords may leak if the auto-correction the feature is not disabled.
Recommendation
Keyboard caching is caused by the UITextInputTraits
protocol supported
by UITextField
, UITextView
and UISearchBar
.
-
var autocorrectionType: UITextAutocorrectionType
determines whether auto-correction is enabled during typing. When auto-correction is enabled, the text object tracks unknown words and suggests suitable replacements, replacing the typed text automatically unless the user overrides the replacement. The default value of this property isUITextAutocorrectionTypeDefault
, which for most input methods enables auto-correction. -
var secureTextEntry: BOOL
determines whether text copying and caching are disabled and hides the text being entered forUITextField
. The default value of this property isNO
.
textInput.autocorrectionType = UITextAutocorrectionTypeNo;
textInput.secureTextEntry = YES;
Links
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- OWASP: Finding Sensitive Data in Keyboard Cache
Standards
- OWASP_MASVS_L1:
- MSTG_STORAGE_5
- OWASP_MASVS_L2:
- MSTG_STORAGE_5