software composition analysis
Product
SAST
Catch vulnerabilities as you develop DAST
Test live web applications like an attacker SCA
Secure open-source and supply chain MAST
Secure mobile apps from code to store Compliance
Align with standards while shipping secure code
Resources
Vulnerability database Healthy Package
Blog News
Documentation
Pricing Partners About Us Log In
software composition analysis

Swift : Third-party keyboard extensions usage

Classification

OWASP Mobile Top 10 2014 M4-Unintended Data Leakage OWASP Mobile Top 10 2016 M2-Insecure Data Storage OWASP MASVS V2: 2.5.(L1/L2/L1+R/L2+R) V6: 6.11.(L2/L2+R) HIPAA §164.312 (a)(1) CWE CWE-200 CWE/SANS Top 25 2021 CWE-200

Overview

The application allows third-party keyboard extensions to be installed. The leakage of confidential data is possible.

Keyboard extensions are allowed to read each keystroke made by the user. Third-party keyboards are usually used to facilitate text entry or add additional emojis and they may log what the user enters or even sends to the remote server for processing. Malicious keyboards can be used to act as a keylogger and read each user-entered key to steal confidential data, such as credentials or credit card numbers.

Insecure Data Storage vulnerabilities take the second place in the “OWASP Top 10 2016” mobile application vulnerabilities ranking.

References

  1. CWE-200: Information Exposure
  2. UIApplicationKeyboardExtensionPointIdentifier - developer.apple.com
  3. Can I disable custom keyboards (iOS8) for my app? - stackoverflow.com
  4. OWASP: Mobile Top 10 2014-M4
  5. OWASP: Mobile Top 10 2016-M2

See also

Swift : Insecure manipulations with the file system
Swift : Hardcoded encryption key
Swift : Unsafe Keychain usage