NowSecure dynamic analysis: Allowing Third Party Keyboards Potentially Exposes User Input

[lcimeni]

Finding Description

This application does not use application:shouldAllowExtensionPointIdentifier: on the application delegate to disable third-party keyboards. iOS apps can choose to grant permissions to use app extensions such as 3rd party keyboards. Allowing 3rd party keyboards can introduce privacy risks such as keystroke logging and in turn, sensitive data leaks. It is considered a security best practice to disable 3rd party keyboard extensions unless necessary.

Steps to Reproduce

While the app is running on a physical device, this test dynamically detects whether the app delegate explicitly revoked permissions for allowing usage of 3rd party keyboards by returning NO for the identifier UIApplicationKeyboardExtensionPointIdentifier.

Business Impact

The app allows other keyboards to be used to input data. If those keyboards are malicious, they can steal user input such as usernames and passwords.

Remediation Resources

Implement application:shouldAllowExtensionPointIdentifier: on the application delegate and return NO for the identifier UIApplicationKeyboardExtensionPointIdentifier.

Details and code snippets can be found at Apple's documentation.

Risk and Regulatory Information

Severity: medium CVSS: 4

• Risk OWASP: Mobile Top 10: M1-Improper Platform Usage, Mobile Top 10: M7-Poor Code Quality
• CCPA: Risks violating CCPA: exfiltration, theft, or disclosure of PII

Application

• Platform: ios
• Package: com.wearezeta.zclient.ios

See more detail in the NowSecure Report