iOS 13 has brought along a lot of interesting new features and one of these which i’ve started using is Swipe to Type. I’ve been quite impressed by the accuracy.

This functionality has long been around for a long time in third party apps and has been a native function in Android (I think) for some time.

What does the native iOS version look like under the hood?

Swipe to Type – Files of interestingness

/private/var/mobile/Library/Keyboard/shapestore.db

This database contains much the same content as you’d expect to see in the dynamic-text.dat dictionary file. The only apparent useful table is called shapes and this stores the swiped word as string_representation, there is also a blob entry for shape_data which presumably stores data relating to gesture tracking accuracy, however this is just an assumption.

/private/var/mobile/Library/Keyboard/user_model_database.sqlite

This database appears to be the real interesting one. There are a few tables in this database but the ones we would be interested in are:

• usermodeldurablerecords 
• usermodeltransientrecords

usermodeldurablerecords 

This table seems pretty basic, it shows a total number or typed words and the number of words pathed, presumably this second value relates the number of words created through the Type to Swipe feature.

usermodeltransientrecords

This table has a number of fields or keys relating to user activity on the keyboard:

• tium.wordsTyped
• tium.pathEligibleWordsTapped
• tium.durationTappedWords
• tium.wholeWordDeleted

I have not figured out which each of these relate to as yet, although some will be quite obvious, and as you can see there are last update timestamps.

When paired with messaging activity in the SMS.db, web browsing or other application data, this will make good evidence for identifying when a user was actually interacting with their device.

Further work is required but this is a nice new artefact which can be in the investigators toolkit for finding evidence of hands-on device usage.