Enhance best practices for preventing keyboard caching in sensitive text inputs

[cpholguera]

This PR enhances iOS security documentation by expanding guidance on preventing keyboard caching of sensitive text inputs. It updates both the knowledge base article on keyboard caching and the best practices guide to provide comprehensive, security-focused recommendations.

File	Description
knowledge/ios/MASVS-STORAGE/MASTG-KNOW-0100.md	Enhanced documentation of iOS keyboard caching behavior with forensic context, detailed explanations of UITextInputTraits properties, and their security implications
best-practices/MASTG-BEST-0026.md	Added best practices with specific configuration recommendations for preventing keyboard caching in sensitive text inputs

[Copilot]

Pull request overview

This PR enhances iOS security documentation by expanding guidance on preventing keyboard caching of sensitive text inputs. It updates both the knowledge base article on keyboard caching and the best practices guide to provide comprehensive, security-focused recommendations.

• Expanded technical details about iOS keyboard caching mechanisms and forensic implications
• Documented the UITextInputTraits protocol properties that control keyboard learning behavior
• Established clear best practices for configuring text fields handling sensitive information

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 7 comments.

File	Description
knowledge/ios/MASVS-STORAGE/MASTG-KNOW-0100.md	Enhanced documentation of iOS keyboard caching behavior with forensic context, detailed explanations of UITextInputTraits properties, and their security implications
best-practices/MASTG-BEST-0026.md	Converted from placeholder to complete best practice guide with specific configuration recommendations for preventing keyboard caching in sensitive text inputs

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[bernhste]

I am aware that architecture and design were removed since V1. But data classification in this case seems important. I would at least mention it and refer to policies, etc.

[bernhste]

Are there sources we can link? For statements like that, we should add that.

Example I found:

• https://www.infosecinstitute.com/resources/digital-forensics/ios-forensics/
• https://github.com/RealityNet/iOS-Forensics-References

[bernhste]

Suggested change

	Sensitive text inputs should never participate in keyboard learning or prediction. On iOS, this means explicitly disabling features that allow the system keyboard to cache or reuse previously entered values. By default, standard text fields are eligible for caching unless told otherwise, which makes explicit configuration essential for any field that handles secrets or identifiers.
	Sensitive text inputs should never participate in keyboard learning or prediction. What is defined as sensitve text, should be carefully evaluated for all text input based on data protection laws, industry regulations, company policies or individual assessment.
	On iOS, this means explicitly disabling features that allow the system keyboard to cache or reuse previously entered values. By default, standard text fields are eligible for caching unless told otherwise, which makes explicit configuration essential for any field that handles secrets or identifiers.

Should we add a sentence about how to classify data first (data protection law, industry standard like PCI-DSS, etc.)?

Because this best practice should be applied to all text input and not just obvious ones like password forms. For example, an app for lawyers, or critical infrastructure can have many sensitive text input forms.