Android Sensitive data stored in keyboard cache

Android Sensitive data stored in keyboard cache

Risk: low

Description

Android stores non-numeric words in the keyboard cache. Sensitive information like login or passwords may leak if the auto-correction the feature is not disabled.

Recommendation

Input fields that are expected to have sensitive information as input should use input types such as "textNoSuggestions" or "textPassword" to ensure the input does not get stored in the keyboard cache.

XML

<?xml version="1.0" encoding="utf-8"?>
<LinearLayout
    xmlns:android="http://schemas.android.com/apk/res/android"
    xmlns:app="http://schemas.android.com/apk/res-auto">

    <!-- This password field uses the `textPassword` input type to ensure that the input is not saved to the keyboard cache. -->
    <EditText
        android:id="@+id/password"
        android:inputType="textPassword"/>  
</LinearLayout>

Links

• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Standards

• OWASP_MASVS_L1:
  • MSTG_STORAGE_5
• OWASP_MASVS_L2:
  • MSTG_STORAGE_5
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_3_2
  • REQ_3_5
  • REQ_6_2
• OWASP_MASVS_v2_1:
  • MASVS_STORAGE_2