Skip to content

MASTG-TEST-0258: References to Keyboard Caching Attributes in UI Elements

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Overview

This test verifies that the app appropriately configures text input fields to prevent the keyboard from caching sensitive information, such as passwords or personal data.

Android apps can configure the behavior of text input fields using XML attributes in the layout files or programmatically in the code. If the app doesn't use non-caching input types for sensitive data, the keyboard may cache sensitive information.

Steps

  1. Reverse engineer the app ( Decompiling Java Code).
  2. Search for XML attributes in the layout files within the res/layout directory.
  3. Search for calls to the setInputType method and the input type values passed to it ( Static Analysis on Android).
  4. In case the app uses Jetpack Compose, search for calls to KeyboardOptions constructors and their parameters in the reversed code ( Static Analysis on Android). Especially keyboardType and autoCorrect.

Observation

The output should include:

  • All android:inputType XML attributes, if using XML for the UI.
  • All calls to the setInputType method and the input type values passed to it.

Evaluation

The test case fails if there are any fields handling sensitive data for which the app does not use non-caching input types.

Demos

MASTG-DEMO-0024: Uses of Caching UI Elements with semgrep