Skip to content

MASTG-TEST-0258: References to Keyboard Caching Attributes in UI Elements

Overview

This test verifies that the app appropriately configures text input fields to prevent the keyboard from caching sensitive information, such as passwords or personal data.

Android apps can configure the behavior of text input fields using:

  • From layout files within the res/layout directory:
    • Using the android:inputType XML attributes.
  • Programmatically in the code:
    • By calling the setInputType method on input fields and passing appropriate input type values.
    • In Jetpack Compose, by using the KeyboardOptions constructors and setting the keyboardType and autoCorrect parameters.

See section "Non-Caching Input Types" in Keyboard Cache for more details on the input types that prevent keyboard caching of sensitive information.

Steps

  1. Use Reverse Engineering Android Apps to reverse engineer the app.
  2. Use Static Analysis on Android to look for the relevant APIs.
  3. Use Exploring the App Package to extract the layout files from the app package.

Observation

The output should include:

  • All android:inputType XML attributes, if using XML for the UI.
  • All calls to the setInputType method and the input type values passed to it.

Evaluation

The test case fails if there are any fields handling sensitive data for which the app does not use non-caching input types.

Best Practices

MASTG-BEST-0019: Use Non-Caching Input Types for Sensitive Fields

Demos

MASTG-DEMO-0064: Uses of Caching UI Elements with semgrep