Virtual Sanity

John Brayton's blog

About   Microblog   RSS

Video Mirroring and Password Entry

January 10, 2015

Earlier this week I demonstrated an iOS app at CocoaHeads Boston. I intended to demonstrate the app's 1Password integration, but I hit a snag. The 1Password extension asked me for my master password. It did not allow me to authenticate with my thumbprint. I entered the first character of the master password, saw the character in clear text on the screen, and realized that continuing to enter the password in front of forty people would be unwise. I should have considered this ahead of time and used my development device with a separate 1Password keychain and master password.

On the Mac, this would not have been an issue. Password characters are shown as bullet (•) characters. On iOS, each character is shown in clear text for a short period of time. This is a reasonable compromise, but I think it should be reconsidered when the display is being mirrored to another screen through a connector or through AirPlay Mirroring.

I describe my desire in Radar 19436675:

Product: iOS

Classification: Security

Reproducibility: Always

Title: Video Mirroring and Password Entry

Description: When you enter a password into a UITextField that has “secureTextEntry” enabled, each character is shown on the screen for a short amount of time. This is a reasonable compromise, but this makes it difficult to securely enter a password when giving a presentation. Anyone watching your screen or a mirror of it can see the password.

I am requesting that, when video is being mirrored to an external screen through a connector or through AirPlay Mirroring, the password characters never appear in clear text on the screen — or at least not on devices mirroring its screen.

Steps to Reproduce:
1. Use AirPlay Mirroring to share your screen with a room full of people.
2. Open Settings and navigate to Mail, Contacts, Calendars → Add Account → iCloud.
3. Enter your iCloud email address and password.

Expected Results:
I would like to be able to enter my password, feeling secure in the knowledge that no one else can see it.

Actual Results:
Anyone watching the mirror of the screen can see password characters as they are typed.

Configuration:
I assume this is as expected on all iOS devices. I see this on my iPhone 5S when mirroring to an Apple TV.

Version & Build:
iOS 8.1.2 (12B440)

Additional Notes:
The same is true of password fields on web pages in Safari and in other web views. I assume that those password fields are implemented as UITextFields with secureTextEntry enabled. If they are not, password fields in web views should be addressed as well.