iOS Sensitive data stored in keyboard cache
iOS Sensitive data stored in keyboard cache
Description
iOS stores almost all non-numeric words in the keyboard cache. Sensitive information like login or passwords may leak if the auto-correction the feature is not disabled.
Recommendation
Keyboard caching is caused by the UITextInputTraits protocol supported by UITextField, UITextView and UISearchBar.
To prevent keyboard caching from leaking input of sensitive fields, consider:
autocorrectionTypedetermines whether auto-correction is enabled during typing. The default value of this property isUITextAutocorrectionTypeDefault, which for most input methods enables auto-correction.
let textField = UITextField(frame: CGRect(x: 0, y: 0, width: 200, height: 40))
textField.autocorrectionType = .no // Disable autocorrection
isSecureTextEntrydetermines whether text copying and caching are disabled and hides the text being entered forUITextField. The default value of this property isNO.
let textField = UITextField(frame: CGRect(x: 0, y: 0, width: 200, height: 40))
textField.isSecureTextEntry = true // Enable secure text entry
Links
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- OWASP: Finding Sensitive Data in Keyboard Cache
Standards
- OWASP_MASVS_L1:
- MSTG_STORAGE_5
- OWASP_MASVS_L2:
- MSTG_STORAGE_5
- PCI_STANDARDS:
- REQ_2_2
- REQ_3_2
- REQ_3_3
- REQ_3_5
- REQ_6_2
- OWASP_MASVS_v2_1:
- MASVS_STORAGE_1
- MASVS_STORAGE_2