Cached form fields - android

Cached form fields - android

Need

Disable caching and keyboard suggestions for sensitive input fields

Context

  • Usage of Android development for mobile applications
  • Preventing sensitive input data from being cached or suggested by the keyboard

Description

Non compliant code

        <EditText
    android:id="@+id/inputField"
    android:layout_width="match_parent"
    android:layout_height="wrap_content"
    android:hint="Enter sensitive data" />

<TextView
    android:id="@+id/outputField"
    android:layout_width="match_parent"
    android:layout_height="wrap_content"
    android:text="Sensitive data displayed here" />

        
        

In this example, an EditText field is used to accept user input but does not specify android:inputType="textNoSuggestions", which means the keyboard may cache and suggest previously entered data.

Similarly, TextView elements used for user input display may also expose cached values if android:inputType is not properly set.

Attackers or malicious applications could retrieve cached keyboard inputs, potentially exposing sensitive data like passwords, credit card numbers, or personally identifiable information.

Steps

  • Open the XML layout file containing input fields.
  • Add `android:inputType="textNoSuggestions"` to `EditText` and `TextView` elements.
  • Ensure that all user-input or displayed sensitive data fields prevent caching.
  • Test the application by verifying that the keyboard does not suggest previously entered data.

Compliant code

        <EditText
    android:id="@+id/inputField"
    android:layout_width="match_parent"
    android:layout_height="wrap_content"
    android:hint="Enter sensitive data"
    android:inputType="textNoSuggestions" />

<TextView
    android:id="@+id/outputField"
    android:layout_width="match_parent"
    android:height="wrap_content"
    android:text="Sensitive data displayed here"
    android:inputType="textNoSuggestions" />

        
        

The secure code ensures that android:inputType="textNoSuggestions" is applied to EditText and TextView elements to prevent caching and keyboard suggestions.

This setting disables keyboard learning for these fields, preventing previously entered data from being suggested or cached.

References