Skip to content

MASTG-BEST-0044: Mask Sensitive Data in Text Input Fields

For any text input field that handles sensitive information such as passwords, PINs, or OTPs, ensure that the entered text is visually masked to prevent bystanders or screen capture tools from exposing it.

UIKit

Set isSecureTextEntry to true on any UITextField that captures sensitive data. This replaces typed characters with bullet characters (•) and prevents the text from appearing in plain text.

let passwordField = UITextField()
passwordField.isSecureTextEntry = true

SwiftUI

Use SecureField instead of TextField for any input that handles passwords, PINs, or OTPs. SecureField automatically masks its content as the user types.

SecureField("Password", text: $password)

Note

Do not use a plain TextField for sensitive input, even if you intend to style it to look like a masked field at the application layer, because this does not provide the same level of protection as the system-provided secure text entry mechanisms.

Tests

MASTG-TEST-0346: References to APIs Hiding Sensitive Data in Text Input Fields MASTG-TEST-0347: Runtime Use of APIs Hiding Sensitive Data in Text Input Fields