iOS apps can grant permissions to enable app extensions such as third party keyboards. This application does not use application:shouldAllowExtensionPointIdentifier: on the application delegate to disable third-party keyboards. By allowing third party keyboards, privacy risks such as keystroke logging and sensitive data leakage can be introduced.
It is considered a security best practice to disable third party keyboard extensions and other app extensions unless absolutely necessary.
Steps to Reproduce
Installing and running the app on a device that has a third party keyboard from the App Store can be used to test if this control is properly in place.
In NowSecure's automated testing for this vulnerability, the test dynamically detects whether the app delegates explicitly revoked permissions for allowing usage of third party keyboards by returning NO for the identifier UIApplicationKeyboardExtensionPointIdentifier.
Business Impact
A third-party keyboard extension that is granted "full access" by the user can send keystrokes to a remote server. A malicious keyboard extension could exfiltrate sensitive data that the user enters into the application.
Remediation Resources
Recommended Fix
Implement application:shouldAllowExtensionPointIdentifier: on the application delegate and return NO for the identifier UIApplicationKeyboardExtensionPointIdentifier.
Details and code snippets can be found at Apple's documentation.
Finding Description
iOS apps can grant permissions to enable app extensions such as third party keyboards. This application does not use
application:shouldAllowExtensionPointIdentifier:on the application delegate to disable third-party keyboards. By allowing third party keyboards, privacy risks such as keystroke logging and sensitive data leakage can be introduced. It is considered a security best practice to disable third party keyboard extensions and other app extensions unless absolutely necessary.Steps to Reproduce
Installing and running the app on a device that has a third party keyboard from the App Store can be used to test if this control is properly in place. In NowSecure's automated testing for this vulnerability, the test dynamically detects whether the app delegates explicitly revoked permissions for allowing usage of third party keyboards by returning
NOfor the identifierUIApplicationKeyboardExtensionPointIdentifier.Business Impact
A third-party keyboard extension that is granted "full access" by the user can send keystrokes to a remote server. A malicious keyboard extension could exfiltrate sensitive data that the user enters into the application.
Remediation Resources
Recommended Fix
Implement
application:shouldAllowExtensionPointIdentifier:on the application delegate and returnNOfor the identifierUIApplicationKeyboardExtensionPointIdentifier. Details and code snippets can be found at Apple's documentation.Code Samples
Good Code Example (.swift)
Good Code Example (.objc)
Additional Guidance
Risk and Regulatory Information
Severity: medium
CVSS: 4
Policy Category: Needs Remediation
Application
See more detail in the NowSecure Report