There are different approaches for getting to the user’s credentials, I will present the easiest here and I will concentrate on iOS:
We register a custom NSURLProtocol for ‘keylogger://’ URLs. It is a dummy implementation which just makes sure that those URLs aren’t processed further by the framework.
In the shouldStartLoadWithRequest: method, we capture all of the ‘keylogger://’ requests and log the characters. Then we stop loading, because those URLs are just used to communicate between JS and Objective-C.