mirror of
https://github.com/github/codeql.git
synced 2026-06-13 00:41:07 +02:00
34 lines
1.7 KiB
XML
34 lines
1.7 KiB
XML
<!DOCTYPE qhelp PUBLIC
|
|
"-//Semmle//qhelp//EN"
|
|
"qhelp.dtd">
|
|
<qhelp>
|
|
|
|
<overview>
|
|
<p>When a user enters information in a text input field on an Android application, their input is saved to a keyboard cache which provides autocomplete suggestions and predictions. There is a risk that sensitive user data, such as passwords or banking information, may be leaked to other applications via the keyboard cache.</p>
|
|
|
|
</overview>
|
|
<recommendation>
|
|
|
|
<p>For input fields expected to accept sensitive information, use input types such as <code>"textNoSuggestions"</code> (or <code>"textPassword"</code> for a password) to ensure the input does not get stored in the keyboard cache.</p>
|
|
<p>Optionally, instead of declaring an input type through XML, you can set the input type in your code using <code>TextView.setInputType()</code>.</p>
|
|
</recommendation>
|
|
<example>
|
|
|
|
<p>In the following example, the field labeled BAD allows the password to be saved to the keyboard cache,
|
|
whereas the field labeled GOOD uses the <code>"textPassword"</code> input type to ensure the password is not cached.</p>
|
|
|
|
<sample src="Example.xml" />
|
|
|
|
</example>
|
|
<references>
|
|
|
|
<li>
|
|
OWASP Mobile Application Security Testing Guide: <a href="https://github.com/OWASP/owasp-mastg/blob/b7a93a2e5e0557cc9a12e55fc3f6675f6986bb86/Document/0x05d-Testing-Data-Storage.md#determining-whether-the-keyboard-cache-is-disabled-for-text-input-fields-mstg-storage-5">Determining Whether the Keyboard Cache Is Disabled for Text Input Fields</a>.
|
|
</li>
|
|
<li>
|
|
Android Developers: <a href="https://developer.android.com/reference/android/widget/TextView#attr_android:inputType">android:inputType attribute documentation.</a>
|
|
</li>
|
|
|
|
</references>
|
|
</qhelp>
|