This application does not use application:shouldAllowExtensionPointIdentifier: on the application delegate to disable third-party keyboards.
iOS apps can choose to grant permissions to use app extensions such as 3rd party keyboards.
Allowing 3rd party keyboards can introduce privacy risks such as keystroke logging and in turn, sensitive data leaks.
It is considered a security best practice to disable 3rd party keyboard extensions unless necessary.
Steps to Reproduce
While the app is running on a physical device, this test dynamically detects whether the app delegate explicitly revoked permissions for allowing usage of 3rd party keyboards by returning NO for the identifier UIApplicationKeyboardExtensionPointIdentifier.
Business Impact
The app allows other keyboards to be used to input data.
If those keyboards are malicious, they can steal user input such as usernames and passwords.
Remediation Resources
Implement application:shouldAllowExtensionPointIdentifier: on the application delegate and return NO for the identifier UIApplicationKeyboardExtensionPointIdentifier.
Finding Description
This application does not use
application:shouldAllowExtensionPointIdentifier:
on the application delegate to disable third-party keyboards. iOS apps can choose to grant permissions to use app extensions such as 3rd party keyboards. Allowing 3rd party keyboards can introduce privacy risks such as keystroke logging and in turn, sensitive data leaks. It is considered a security best practice to disable 3rd party keyboard extensions unless necessary.Steps to Reproduce
While the app is running on a physical device, this test dynamically detects whether the app delegate explicitly revoked permissions for allowing usage of 3rd party keyboards by returning
NO
for the identifierUIApplicationKeyboardExtensionPointIdentifier
.Business Impact
The app allows other keyboards to be used to input data. If those keyboards are malicious, they can steal user input such as usernames and passwords.
Remediation Resources
Implement
application:shouldAllowExtensionPointIdentifier:
on the application delegate and returnNO
for the identifierUIApplicationKeyboardExtensionPointIdentifier
.Details and code snippets can be found at Apple's documentation.
Risk and Regulatory Information
Severity: medium CVSS: 4
Application
See more detail in the NowSecure Report