Haseeb Afsar

Table of Contents

Why Auto Correct, Auto Complete is hazardous for mobile apps dealing with sensitive data.

About 80% of the apps out there today are insecure and can be compromised easily, this is what recent studies have shown. Why this complacency? Are the businesses not serious about it. The answer is everyone today from a startup to an enterprise is more conservative about data security. Still there is a data breach and why does that happen? The answer to that question is lack of awareness amongst mobile app developers about the inner workings of the smartphone operating system itself. Unfortunately most of us think, penetration tests on backend makes app secure. Securing your backend is one piece of the puzzle.

The penetration tests overlook’s the smartphone operating system bugs and it’s tantamount implications that makes mobile app code even more vulnerable. A good mobile penetration test is more than just securing your backend 😊 Penetration tests traditionally are designed to focus on known exploits on the backend application namely SQL Injection, Cross Site Scripting, Session Hijacking etc. However less significance is given to how things work on the client side i.e mobile app. It starts from collecting user input and how is that input saved, shared and re-used by the operating system itself.

 

Auto Correction Example

 

Auto Correct, Auto Complete is hazardous for apps dealing with sensitive data.

 

Collecting user input is a very basic operation yet an feature that is part of 99% of the apps. Let me quote an example here, you might have seen instances on an input field where a user types something and suggestions pop-up. We like this behaviour of the app since its helping our user type less, this is a common phenomena if you’ve used apps from whatsapp, message, youtube, facebook etc. This is a very good user experience, however this comes at the cost of personal data getting leaked.

These suggestions and auto complete doesn’t happen with a magic wand. To provide these suggestions and auto-complete text’s the operating system has to collect as much data as it can and build a comprehensive dictionary. This dictionary is a text file stored on your device encrypted by your lock codes, which might sound to be bulletproof. However its not.

This gives away everything about your user from what he/she searched on google to what pizza he/she has ordered. This might sound scary, but the fix to preventing this kind of data leak is yet simple.

 

Also this doesn’t mean that you have to force your user to live without auto-complete. We just have to make diligent decisions here, where to use it and where it shouldn’t be used.

 

So what is the fix? “Disable auto suggestion / correction” where you think you are collecting sensitive information from the user.

 

Code Example

 

How to fix this in iOS?

The keyboard classes used in iOS cause data to be cached for autocorrection. The way this is implemented causes everything typed into a keyboard in your application to be stored in the order it was typed, in clear text. Exceptions are:

  1. Fields marked as secure passwords fields are not cached.
  2. Strings containing all digits are no longer cached, although they used to be in older version of iOS. This means credit card numbers are generally safe.
  3. Text fields in which the autocorrect has been disabled prevent data from being cached, but remove the functionality of autocorrect entirely when typing.
  4. Small, one-letter or two-letter words aren’t always cached.

Let’s talk code – iOS Only here 🙂

The easiest way to disable this functionality is to simply disable the autocorrect functionality for a particular text field that you don’t want cached.

 

UITextField *textField = [ [ UITextField alloc ] initWithFrame: frame ]; textField.autocorrectionType = UITextAutocorrectionTypeNo; 

This is ideal for fields accepting secure input, such as usernames, pass phrases, or the answers to security questions. In fact, because the keyboard cache can cache these text fields, often times beginning to fill out the answer to a security question can cause the cache to even autocomplete the answer for an intruder, unless the autocorrect properties are disabled.

Additionally, fields can be marked for password entry, causing the input to be secured from the

cache. textField.secureTextEntry = YES; 

In addition to text entry, data is cached in clear text when it is copied to the pasteboard in iOS. To disable a text field’s copy/paste functionality, so that the user cannot copy and paste from this field, add the following method to your text field’s delegate: –

(BOOL)canPerformAction:(SEL)action withSender:(id)sender { UIMyViewController *myViewController = [ UIMyViewController sharedMyViewController ]; if (myViewController) { myViewController.menuVisible = NO; } return NO; }

Leave a Reply

Your email address will not be published. Required fields are marked *