Titanium JIRA Archive
Titanium SDK/CLI (TIMOB)

[TIMOB-24300] iOS: Add ability to disallow custom keyboards (Data Leakage) via tiapp.xml

GitHub Issuen/a
TypeStory
PriorityHigh
StatusClosed
ResolutionFixed
Resolution Date2017-01-28T09:46:33.000+0000
Affected Version/sn/a
Fix Version/sRelease 6.1.0
ComponentsiOS
Labelsn/a
ReporterShuo Liang
AssigneeHans Knöchel
Created2017-01-12T00:46:56.000+0000
Updated2017-01-28T09:46:38.000+0000

Description

A security scan found a possible Information Leakage issue associated with this: Apple introduces several new IPC (Inter Process Communication)/Extensions since the inception of iOS 8. One of the Extension Points is the ability for users to install "Custom Keyboards." Custom Keyboards can operate in 2 Open Access modes (On and Off). They observed that application allows custom keyboard. The use of custom keyboards can have security implications, if the user allows the custom keyboard to have internet connectivity. If the custom keyboard can connect to the internet, it can send any keystroke to the custom keyboard maker's server, leading to potential data leakage. ``` Can you ensure if is there a way we can ensure this warning won't show up when building the app?

Comments

  1. Hans Knöchel 2017-01-12

    *PR*: https://github.com/appcelerator/titanium_mobile/pull/8748 *To test*: 1. Download one of the custom-keyboard apps and install the custom keyboard 2. Create a new Titanium project 3. Paste the following content into the index.js / app.js file: 
       var win = Ti.UI.createWindow({
       backgroundColor: '#fff'
   });
   
   var field = Ti.UI.createTextField({
       width: 300,
       height: 40,
       backgroundColor: "#f0f0f0"
   });
   
   win.add(field);
   win.open();
    3. Add <property name="allow-custom-keyboards" type="bool">false</property> 4. Run the Titanium app *Expected behavior*: The custom keyboard does not show up. Toggle the property to see different behaviors. Updated guide: https://wiki.appcelerator.org/display/guides2/tiapp.xml+and+timodule.xml+Reference#tiapp.xmlandtimodule.xmlReference-allow-custom-keyboards
  2. Hans Knöchel 2017-01-13

    [~sliang] This should fit the customers requirements.
  3. Eric Wieber 2017-01-26

    FR passed, using: MacOS 10.12 (16A323) Studio 4.8.1.201612050850 Ti SDK 6.1.0 Appc NPM 4.2.8 Appc CLI 6.1.0 Alloy 1.9.5 Xcode 8.2 (8C38) Custom keyboards are not allowed when setting the allow-custom-keyboards property to false. They are allowed when the property is true. Tested using the provided test case and modified versions of it
  4. Eric Wieber 2017-01-27

    Verified in SDK 6.1.0.v20170126150653

JSON Source