How Hackers Exploit Predictive Text in Your Apps ? (In Practice)

Predictive Text QuickType on iOS is the feature that shows suggested words above your keyboard as you type. It learns from your typing behavior, common phrases, and contact names to predict what you might write next.

On iOS, all this learning happens locally on the device. The keyboard subsystem stores dynamic data and lexicon files used by the model to generate suggestions. These files are stored under:

/private/var/mobile/Library/Keyboard/

This directory contains files like dynamic-lexicon.dat which store user learned words and typing patterns.

Normally iOS sandboxing and file protection mechanisms prevent apps from reading these files. However on a kernel exposed or root compromised device these protections can be bypassed.

This means a security tester or an attacker with full system privileges could access the stored predictive text data and potentially reveal sensitive information learned by the keyboard.

Here is an example using my tool to download the keyboard data and print its content.

When interacting with the app, the device may record keystrokes for every input by default, not just to power predictive text, but also for autocorrect, local suggestion caches, diagnostic logs and other system features. This logging does not occur when an input is explicitly marked as secure by the app (for example, using a secure input field). Developers should mark sensitive fields as secure and disable autocorrection and related features to prevent accidental storage of secrets. Because these values are stored locally on the device, they become accessible on a jailbroken or root compromised device, and a malicious app or attacker with full privileges can read those files and recover sensitive fragments.

To make things simpler, I have created a script that automates connecting to a jailbroken device and dumping keyboard data. You can find it at my GitHub: BAT PredictiveTXT Dumper.

• Extracting learned words from the keyboard cache to gather hints like emails card fragments or OTP patterns.
• Cross referencing these suggestions with other data to reconstruct partial credentials.
• Using extracted words for targeted phishing or social engineering attacks.

Predictive Text is handy but can create privacy risks when sensitive fields are not secured. If predictive text learns from confidential entries that data can become accessible on compromised devices.

Quick checklist

1. Disable predictive text and autocorrect on sensitive fields like passwords card numbers and OTPs.
2. Force the system keyboard for sensitive inputs avoid third party keyboards where possible.
3. Do not log or store sensitive input for debugging.

Always disable autocorrection and related behaviors for sensitive fields to avoid unintended storage of private data.