Storing sensitive information in the keyboard cache
 |
MEDIUM | ||
| Detection method | DAST SENSITIVE INFO |
Description
iOS has a mechanism to auto-complete words that the user enters in the text fields. In this case, if iOS does not know the word the user enters, it can cache the word (or prompt the user to add the word to the dictionary). This feature can be very useful for messenger applications, for example. However, the keyboard cache may disclose sensitive information if it is used to enter such information (credit card data, login, password or personal user information).
Recommendations
The autocorrectionType parameter in the field of the class object is responsible for enabling or disabling the auto-complete option. UITextField
Code Example:
UITextField *textField = [[UITextField alloc] initWithFrame:frame];
textField.autocorrectionType = UITextAutocorrectionTypeNo;All input fields for sensitive information must be marked with the parameter secureTextEntry
Code Example:
UITextField *textField = [[UITextField alloc] initWithFrame:frame];
textField.secureTextEntry = YES;It is recommended to use implementation of the custom keyboard for entering all sensitive data with caching of all input data disabled. It is also necessary to prohibit copying the entered information to the clipboard to access it from other applications.
Code Example:
- (BOOL)canPerformAction:(SEL)action
withSender:(id)sender
{
UIMenuController *menuController = [UIMenuController sharedMenuController];
if (menuController) {
menuController.menuVisible = NO;
}
return NO;
}