0

The way that my application is set up right now is where the use of password autofill and the system offering to remember the password can cause potential security issues. I know that the user has the ability turn off autofill, but is there a way that developers can restrict these two features for only their application?

Edit:

I have a username and password text field where both text fields have a contentType of .unspecified. The password text field has secureTextEntry as true.

If I have a password saved in Keychain, when tapping on a textfield, the QuickType bar has an option for Keychain autofill. If I tap on a set of credentials on the QuickType bar (containing a username and password), the username text field and password text field populates with its respective credentials (despite having an unspecified contentType). I would like to disable this autofill feature.

I would also like to disable the feature where when the user logs in, the system will ask the user to "Remember password".

rmaddy
  • 314,917
  • 42
  • 532
  • 579
acwlaw
  • 3
  • 4
  • What security issues can it cause? What do you mean by _"restrict these two features"_. What's happening that you don't want to happen. – Ashley Mills Sep 27 '18 at 14:21
  • @AshleyMills I'm unclear of what exactly can happen, but upper management doesn't like this feature and I am just seeing if it is possible to prevent them. (a) prevent the use of Keychain for only my app (and therefore turning off Autofill) and b) preventing the system asking to save the password once a user logs in) – acwlaw Sep 27 '18 at 14:36
  • I'm assuming you mean the iOS 12 automatic strong password. Autofill is only used if you set text field contentTypes to username and new passord / password. If you set them to Unspecified it won't happen. – Ashley Mills Sep 27 '18 at 14:46
  • @AshleyMills I tested this with having contentType set to unspecified, but the Keychain was still able to guess which field was a username and password by filling in the password in the text field that is marked with secureTextEntry and the username on the other text field – acwlaw Sep 27 '18 at 14:52
  • What do you mean by _"Keychain was still able to guess which field was a username and password"_. What are you seeing? Please [edit] your question and give more details about what you're seeing and what you want to happen. Add screenshots if necessary. – Ashley Mills Sep 27 '18 at 14:52
  • @AshleyMills please see edit – acwlaw Sep 27 '18 at 15:07
  • Have you put an apple-app-site-association file on your server? – Ashley Mills Sep 27 '18 at 15:33
  • Yes I have, but not for the purposes of Autofill – acwlaw Sep 27 '18 at 15:38
  • OK - removing that file will prevent autofill – Ashley Mills Sep 27 '18 at 15:38
  • Any other way to go about it? I required the use of the AASA for universal links. – acwlaw Sep 27 '18 at 15:41
  • Tell your upper management that this is a security feature and they should get with the program? – Ashley Mills Sep 27 '18 at 15:43
  • Restrict "Save password" for UITextField https://stackoverflow.com/a/65268452/1199935 – Roman Solodyashkin Dec 12 '20 at 18:36

0 Answers0