NowSecure dynamic analysis: Allowing Third Party Keyboards Potentially Exposes User Input

lcimeni commented 3 years ago

Finding Description

iOS apps can grant permissions to enable app extensions such as third party keyboards. This application does not use application:shouldAllowExtensionPointIdentifier: on the application delegate to disable third-party keyboards. By allowing third party keyboards, privacy risks such as keystroke logging and sensitive data leakage can be introduced. It is considered a security best practice to disable third party keyboard extensions and other app extensions unless absolutely necessary.

Steps to Reproduce

Installing and running the app on a device that has a third party keyboard from the App Store can be used to test if this control is properly in place. In NowSecure's automated testing for this vulnerability, the test dynamically detects whether the app delegates explicitly revoked permissions for allowing usage of third party keyboards by returning NO for the identifier UIApplicationKeyboardExtensionPointIdentifier.

Business Impact

A third-party keyboard extension that is granted "full access" by the user can send keystrokes to a remote server. A malicious keyboard extension could exfiltrate sensitive data that the user enters into the application.

Remediation Resources

Recommended Fix

Implement application:shouldAllowExtensionPointIdentifier: on the application delegate and return NO for the identifier UIApplicationKeyboardExtensionPointIdentifier. Details and code snippets can be found at Apple's documentation.

Code Samples

Good Code Example (.swift)

func application(application: UIApplication, shouldAllowExtensionPointIdentifier extensionPointIdentifier: String) -> Bool {
return extensionPointIdentifier != UIApplicationKeyboardExtensionPointIdentifier
}

Good Code Example (.objc)

(bool) application: (UIApplication) application shouldAllowExtensionPointIdentifier: (String) extensionPointIdentifier{
return extensionPointIdentifier != UIApplicationKeyboardExtensionPointIdentifier;
}

Additional Guidance

This article provides documentation on the shouldAllowExtensionPointIdentifier method: https://developer.apple.com/documentation/uikit/uiapplicationdelegate/1623122-application?language=objc

Risk and Regulatory Information

Severity: medium CVSS: 4

Application

Platform: ios
Package: net.appox.github.GithubProjects

See more detail in the NowSecure Report

lcimeni commented 3 years ago

Update: This finding has been permanently hidden by Lorenz Cimeni, so no additional action required.

Powered by NowSecure Platform

lcimeni commented 3 years ago

Update: The risk severity (CVSS score) of this finding has been modified from 7.77 to 7.7777 by Lorenz Cimeni.

Powered by NowSecure Platform

lcimeni / youtube