MASTG-TEST-0313: References to APIs for Preventing Keyboard Caching of Text Fields

Overview

This test verifies whether the target app prevents sensitive information entered into text fields from being cached by the system keyboard ( Keyboard Cache). On iOS, the keyboard may suggest previously entered text when typing in any app on the device.

The test checks whether UI elements such as UITextField, UITextView, and UISearchBar prevent keyboard caching by using one or more of the following attributes:

• Setting UITextAutocorrectionType
• Enabling isSecureTextEntry
• Setting spellCheckingType

Note: By default, text input is eligible for keyboard caching, and an app does not need to explicitly set UITextAutocorrectionType when creating a text field. Additionally, the UI may be configured in a Storyboard. As a result, this test may miss many true positives. For complete coverage, using Runtime Monitoring of Text Fields Eligible for Keyboard Caching is recommended.

Note: This test may produce false negatives if the app uses custom text input controls that do not rely on standard UIKit classes such as UITextField or UITextView, for example in custom UI frameworks or game engines, or if text entry is handled through nonstandard abstractions that prevent reliable observation of input traits at rest.

Steps

1. Use Reverse Engineering iOS Apps to reverse engineer the app.
2. Use Retrieving Cross References to look for references to APIs that set the relevant input attributes.
3. Use Reviewing Disassembled Objective-C and Swift Code to analyze the relevant code paths and determine the values assigned to these attributes.

Observation

The output should contain a list of locations where the app:

• creates text input fields such as UITextField, UITextView, or UISearchBar, and
• explicitly configures input attributes that prevent keyboard caching for security sensitive text fields.

Evaluation

The test fails if any UI inputs that may handle sensitive values, for example usernames, passwords, email addresses, credit card numbers, or recovery codes, are eligible for keyboard caching. This occurs when:

• isSecureTextEntry is not enabled, or
• autocorrectionType is set to default or yes, or
• spellCheckingType is set to default or yes.

The test passes if all security-sensitive inputs are protected against keyboard caching.

Note: Depending on the app's threat model, some text fields may not require disabling spell checking. However, since enabling isSecureTextEntry implicitly disables both autocorrection and spell checking, and since explicit guarantees are otherwise limited, it is generally advisable to disable all three attributes for any text field that may handle sensitive information.

Mitigations

• Preventing Keyboard Caching for Sensitive Text Inputs

Demos

MASTG-DEMO-0076: Keyboard Caching Not Prevented for Sensitive Data with r2