In iOS, your application's input text fields are logged unless secure flag is not set or autocorrect is not disabled. It's easy to retrieve all keystroke logs from a device. Therefore, the developers should be very careful with sensitive data input fields such as SSN, pin, and so on, so that it should not be captured.
We will perform this exercise on an iOS Simulator. Let's follow the given steps to view keyboard cache that captured sensitive data:
Let's use the
iGoatapplication on an iOS Simulator to demonstrate the vulnerability. Select the Keystroke Logging exercise from the Data Protection (Rest) category of an
dynamic-text.datfile using any text editor and you will observe our sensitive information is being captured in plain text: