In iOS, your application's input text fields are logged unless secure flag is not set or autocorrect is not disabled. It's easy to retrieve all keystroke logs from a device. Therefore, the developers should be very careful with sensitive data input fields such as SSN, pin, and so on, so that it should not be captured.
We will perform this exercise on an iOS Simulator. Let's follow the given steps to view keyboard cache that captured sensitive data:
Let's use the
iGoat
application on an iOS Simulator to demonstrate the vulnerability. Select the Keystroke Logging exercise from the Data Protection (Rest) category of aniGoat
application:Fill the Subject and Message input field and then use the Send option:
Now, check the simulator's
Library
folder that has theKeyboard
directory:Open the
dynamic-text.dat
file using any text editor and you will observe our sensitive information is being captured in plain text: