It’s March 2018 when I’m writing this post. From day to day, Apple’s security is improved - we have Kernel Patch Protection, Secure Enclave Processor (now even on macOS with Touch Bar), GateKeeper and many other security features. On the other hand, only in the last half of the year some trivial bugs were found that led to password disclosure. It’s seems like password leaks may be currently the most serious, from PR perspective, *OS problem.
For instance, let’s recall CVE-2017-7149 - password leakage via hint: Source: https://www.macrumors.com/
Another example may be finding ==(finally fixed!)== where macOS was storing newly created encrypted volume password in logs. Source https://www.mac4n6.com/
Shown examples refer to macOS. What about iOS? We can’t just plug an external drive in and encrypt it. Instead of this we have custom apps that sometimes have to save some
passwords secret data in Keychain.
If you are a developer - remember just one simple thing > Don’t log secret data on production environment
During my work, I was auditing a Cordova App and then I saw plain text password right in the logs. I talked to the developer and it proved that Cordova ==doesn’t support Keychain by itself==. One of the most popular Keychain plugin (also used by this developer) is https://github.com/ionic-team/cordova-plugin-ios-keychain.
The guilty one was of course the NSLog function ;-)
I have reported it and the bug is now fixed (CVE-2018-1000123).