Skip to content

MASTG-TEST-0346: References to APIs Hiding Sensitive Data in Text Input Fields

Overview

If the app does not mask text input fields that contain sensitive data, such data may be visible to bystanders (shoulder surfing) or captured in screenshots and screen recordings.

This test statically analyzes the app binary for references to text input APIs and checks whether the app configures input fields to mask sensitive text entries. In iOS, masking replaces typed characters with bullet characters using the following settings:

  • In UIKit, this is done by setting isSecureTextEntry to true on a UITextField.
  • In SwiftUI, this is done by using SecureField instead of TextField.

Example for UIKit:

let passwordField = UITextField()
passwordField.isSecureTextEntry = true
// Alternatively, toggling the property
textField.isSecureTextEntry.toggle()

Example for SwiftUI:

SecureField("Password", text: $password)

Steps

  1. Use Reverse Engineering iOS Apps to reverse engineer the app.
  2. Use Static Analysis on iOS to look for uses of the relevant APIs.
  3. Use Reviewing Disassembled Objective-C and Swift Code to analyze the relevant code paths and determine whether sensitive data is stored in the input fields.

Observation

The output should contain a list of locations where the app:

  • Creates text input fields, such as UITextField, SecureField or TextField.
  • Explicitly configures visibility attributes that mask the inputted text.

Evaluation

The test case fails if the app uses text input fields to input sensitive data and these input fields are not masked. This occurs when:

  • UIKit UITextField used for a password, PIN, or OTP does not have isSecureTextEntry set to true.
  • SwiftUI TextField is used instead of SecureField for a password, PIN, or OTP field.

Note

It is not a failure if non-sensitive text input fields (for example, for a username or email address) are unmasked. Validating whether a text input field is used for sensitive data may require a review of the app's UI and business logic to determine the context in which the field is used.

Note

This test may produce false negatives if the app uses custom text input controls that do not rely on standard classes such as UITextField or SecureField (for example in custom UI frameworks or game engines, or if text entry is handled through nonstandard abstractions that prevent reliable observation of input traits at rest).

Best Practices

MASTG-BEST-0044: Mask Sensitive Data in Text Input Fields

Demos

MASTG-DEMO-0112: Text Input Fields Not Hiding Sensitive Data