Android Sensitive Keyboard Cache

kotlin.android_sensitive_keyboard_cache

Severity

high

Resource

Information Leak

Language

Kotlin

Description

Storing sensitive data in keyboard cache can expose information to unauthorized access.

Rationale

Android’s virtual keyboard may cache input text for user convenience, potentially storing sensitive information like passwords or personal data. This caching can result in sensitive data being exposed or retrieved by unauthorized users or apps.

To prevent this, developers should disable keyboard caching for input fields handling sensitive data using options that prevent suggestions or treat input as passwords.

<!-- Insecure: Keyboard caching enabled -->
<EditText
    android:id="@+id/sensitive_input"
    android:layout_width="match_parent"
    android:layout_height="wrap_content"
    android:inputType="text" />

Remediation

To protect sensitive data, ensure that keyboard caching is disabled for input fields by configuring them in the XML layout file with android:inputType="textPassword".

<!-- Secure: Disable keyboard caching -->
<EditText
    android:id="@+id/sensitive_input"
    android:layout_width="match_parent"
    android:layout_height="wrap_content"
    android:inputType="textPassword" />

References

CWE-524 : Use of Cache Containing Sensitive Information.
Determining Whether the Keyboard Cache Is Disabled for Text Input Fields.
InputType attribute.