Skip to content

MASTG-TEST-0258: References to Keyboard Caching Attributes in UI Elements

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Overview

This test verifies that the app appropriately configures text input fields to prevent the keyboard from caching sensitive information, such as passwords or personal data.

Android apps can configure the behavior of text input fields using XML attributes in the layout files or programmatically in the code. If the app doesn't use the non-caching input types for sensitive data, the keyboard may cache sensitive information.

Steps

  1. Reverse engineer the app ( Decompiling Java Code).
  2. Search for the above XML attributes in the layout files within the res/layout directory.
  3. Search for the above code attributes and any setInputType API calls in the reversed code ( Static Analysis on Android).

Observation

The output should include:

  • All android:inputType XML attributes, if using XML for the UI.
  • All calls to the setInputType method and the input type values passed to it.

Evaluation

The test case fails if there are any fields handling sensitive data for which the app does not use non-caching input types.

Demos

MASTG-DEMO-0024: Uses of Caching UI Elements with semgrep