Storing sensitive information in the keyboard cache
 |
MEDIUM | ||
| Detection method | DAST SENSITIVE INFO |
Description
Android has a mechanism to auto-complete words that the user enters in the text fields. In this case, if Android does not know the word the user enters, it can cache the word (or prompt the user to add the word to the dictionary). This feature can be very useful for messenger applications, for example. However, the keyboard cache may disclose sensitive information if it is used to enter such information (credit card data, login, password or personal user information).
The android:inputType="textNoSuggestions" parameter in the description of the (<EditText/>)is responsible for enabling or disabling the auto-complete option.
An example of vulnerable code:
<EditText android:id="@+id/KeyBoardCache"/>Recommendations
All input fields that request confidential information must have the following XML attribute enabled (to disable auto-completes):
<EditText android:id="@+id/KeyBoardCache" android:inputType="textNoSuggestions"/>Links
1. https://developer.android.com/reference/android/text/InputType.html#TYPE_TEXT_FLAG_NO_SUGGESTIONS
2. https://www.owasp.org/index.php/Mobile_Top_10_2016-M2-Insecure_Data_Storage