CX Third_Party_Keyboards_On_Sensitive_Field @ iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift [master]

[tsunez]

Third_Party_Keyboards_On_Sensitive_Field issue exists @ iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift in branch master

The passwordField at line 8 of iGoat-Swift\iGoat-Swift\Source\Exercises\Key Management\Random Key Generation\RandomKeyGenerationExerciseVC.swift contains sensitive data, and is not protected from third party keyboards by either: 1) Setting secureTextEntry=YES, -Or- 2) Disabling third party keyboards application wide.

Severity: High

CWE:829

Vulnerability details and guidance

Checkmarx

Recommended Fix

Lines: [20](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L20) [8](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L8) [25](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L25) [10](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L10) [14](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L14)

---

[Code (Line #20):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L20)

        let password = passwordField.text

---

[Code (Line #8):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L8)

    @IBOutlet weak var passwordField: UITextField!

---

[Code (Line #25):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L25)

        passwordField.text = ""

---

[Code (Line #10):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L10)

    @IBOutlet weak var secretKeyField: UITextField!

---

[Code (Line #14):](https://github.com/Custodela/iGoat-Swift/blob/master/iGoat-Swift/iGoat-Swift/Source/Exercises/Key Management/Random Key Generation/RandomKeyGenerationExerciseVC.swift#L14)

        let message = (encryptionKeyStr == secretKeyField.text) ? "Success!!" : "Try Harder!!"

---

[tsunez]

Issue still exists.

SUMMARY

Issue has 5 vulnerability/vulnerabilities left to be fixed (Please scroll to the top for more information)

[tsunez]

Issue still exists.

SUMMARY

Issue has 5 vulnerability/vulnerabilities left to be fixed (Please scroll to the top for more information)

[tsunez]

Issue still exists.

SUMMARY

Issue has 5 vulnerability/vulnerabilities left to be fixed (Please scroll to the top for more information)

[zhouhao27]

Got exactly the same issue when scanning with Checkmarx. Then I fixed it by the suggested methods. And also add the code to disable the third party keyboard. But the issue still exists. I think if it's a false positive detection?

- (BOOL)application:(UIApplication *)application shouldAllowExtensionPointIdentifier:(UIApplicationExtensionPointIdentifier)extensionPointIdentifier {
    if ([extensionPointIdentifier isEqualToString: UIApplicationKeyboardExtensionPointIdentifier]) {
            return NO;
    }
    return YES;
}