74 lines
2.5 KiB
Plaintext
74 lines
2.5 KiB
Plaintext
Mobile OSes use software keyboards that provide text predictions and suggestions. These keyboards cache text inputs in a local file in order to speed up typing and to recall frequent phrases. When users type sensitive data into a text field where keyboard cache is enabled, the data will be stored in clear-text in a local file. It will keep appearing in the keyboard suggestion list until the cache is cleared.
|
|
|
|
== Why is this an issue?
|
|
|
|
Keyboard caches are not designed to store sensitive information. Data they contain is not encrypted and can be exposed.
|
|
In case a backup is performed, the cache file can be included in the backup, which will lead to the password being leakage.
|
|
When device is shared, other user will see the password in the suggestion list.
|
|
|
|
== How to fix it in Jetpack Compose
|
|
|
|
=== Code examples
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,kotlin,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
TextField(
|
|
value = text,
|
|
onValueChange = { text = it },
|
|
label = { Text("Password") },
|
|
visualTransformation = PasswordVisualTransformation(),
|
|
keyboardOptions = KeyboardOptions(keyboardType = KeyboardType.Text) // Noncompliant: keyboard cache is enabled
|
|
)
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,kotlin,diff-id=1,diff-type=compliant]
|
|
----
|
|
TextField(
|
|
value = text,
|
|
onValueChange = { text = it },
|
|
label = { Text("Password") },
|
|
visualTransformation = PasswordVisualTransformation(),
|
|
keyboardOptions = KeyboardOptions(keyboardType = KeyboardType.Password)
|
|
)
|
|
----
|
|
|
|
|
|
== Resources
|
|
|
|
=== Documentation
|
|
|
|
=== Standards
|
|
|
|
* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration]
|
|
* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m9-insecure-data-storage[Mobile Top 10 2024 Category M9 - Insecure Data Storage]
|
|
* CWE - https://cwe.mitre.org/data/definitions/524[CWE-524 - Use of Cache Containing Sensitive Information]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
* If `keyboardOptions` is set
|
|
** Set the `keyboardType` to `KeyboardType.Password` to disable the keyboard cache
|
|
* If `keyboardOptions` is not set,
|
|
** Set `keyboardOptions` to disable the keyboard cache
|
|
|
|
=== Highlighting
|
|
|
|
* Main location
|
|
** If `keyboardOptions` is set, highlight the `keyboardOptions` argument value
|
|
** If `keyboardOptions` is not set, highlight the `TextField` or `OutlinedTextField` constructor
|
|
* Secondary location
|
|
** Highlight the call to `PasswordVisualTransformation`
|
|
|
|
|
|
endif::env-github,rspecator-view[]
|