Merge pull request #10684 from joefarebrother/android-keyboard-cache

Java: Add query for Sensitive Keyboard Cache

java/ql/src/Security/CWE/CWE-524/Example.xml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="utf-8"?>
+<LinearLayout
+    xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:app="http://schemas.android.com/apk/res-auto">
+
+    <!-- BAD: This password field uses the `text` input type, which allows the input to be saved to the keyboard cache. -->
+    <EditText
+        android:id="@+id/password_bad"
+        android:inputType="text"/> 
+
+    <!-- GOOD: This password field uses the `textPassword` input type, which ensures that the input is not saved to the keyboard cache. -->
+    <EditText
+        android:id="@+id/password_good"
+        android:inputType="textPassword"/>  
+</LinearLayout>

java/ql/src/Security/CWE/CWE-524/SensitiveKeyboardCache.qhelp

@@ -0,0 +1,33 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>When a user enters information in a text input field on an Android application, their input is saved to a keyboard cache which provides autocomplete suggestions and predictions. There is a risk that sensitive user data, such as passwords or banking information, may be leaked to other applications via the keyboard cache.</p>
+
+</overview>
+<recommendation>
+
+<p>For input fields expected to accept sensitive information, use input types such as <code>"textNoSuggestions"</code> (or <code>"textPassword"</code> for a password) to ensure the input does not get stored in the keyboard cache.</p>
+<p>Optionally, instead of declaring an input type through XML, you can set the input type in your code using <code>TextView.setInputType()</code>.</p>
+</recommendation>
+<example>
+
+<p>In the following example, the field labeled BAD allows the password to be saved to the keyboard cache,
+ whereas the field labeled GOOD uses the <code>"textPassword"</code> input type to ensure the password is not cached.</p>
+
+<sample src="Example.xml" />
+
+</example>
+<references>
+
+<li>
+  OWASP Mobile Application Security Testing Guide: <a href="https://github.com/OWASP/owasp-mastg/blob/b7a93a2e5e0557cc9a12e55fc3f6675f6986bb86/Document/0x05d-Testing-Data-Storage.md#determining-whether-the-keyboard-cache-is-disabled-for-text-input-fields-mstg-storage-5">Determining Whether the Keyboard Cache Is Disabled for Text Input Fields</a>.
+</li>
+<li>
+  Android Developers: <a href="https://developer.android.com/reference/android/widget/TextView#attr_android:inputType">android:inputType attribute documentation.</a>
+</li>
+
+</references>
+</qhelp>

java/ql/src/Security/CWE/CWE-524/SensitiveKeyboardCache.ql

@@ -0,0 +1,18 @@
+/**
+ * @name Android sensitive keyboard cache
+ * @description Allowing the keyboard to cache sensitive information may result in information leaks to other applications.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 8.1
+ * @id java/android/sensitive-keyboard-cache
+ * @tags security
+ *       external/cwe/cwe-524
+ * @precision medium
+ */
+
+import java
+import semmle.code.java.security.SensitiveKeyboardCacheQuery
+
+from AndroidEditableXmlElement el
+where el = getASensitiveCachedInput()
+select el, "This input field may contain sensitive information that is saved to the keyboard cache."

java/ql/src/change-notes/2022-10-07-sensitive-keyboard-cache.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query, `java/android/sensitive-keyboard-cache`, to detect instances of sensitive information possibly being saved to the keyboard cache.