MASTG-TEST-0006: Determining Whether the Keyboard Cache Is Disabled for Text Input Fields
Overview¶
Static Analysis¶
In the layout definition of an activity, you can define TextViews that have XML attributes. If the XML attribute android:inputType is given the value textNoSuggestions, the keyboard cache will not be shown when the input field is selected. The user will have to type everything manually.
<EditText
android:id="@+id/KeyBoardCache"
android:inputType="textNoSuggestions" />
The code for all input fields that take sensitive information should include this XML attribute to disable the keyboard suggestions.
Alternatively, the developer can use the following constants:
XML android:inputType |
Code InputType |
API level |
|---|---|---|
textPassword |
TYPE_TEXT_VARIATION_PASSWORD |
3 |
textVisiblePassword |
TYPE_TEXT_VARIATION_VISIBLE_PASSWORD |
3 |
numberPassword |
TYPE_NUMBER_VARIATION_PASSWORD |
11 |
textWebPassword |
TYPE_TEXT_VARIATION_WEB_PASSWORD |
11 |
Check the application code to verify that none of the input types are being overwritten. For example, by doing findViewById(R.id.KeyBoardCache).setInputType(InputType.TYPE_CLASS_TEXT) the input type of the input field KeyBoardCache is set to text reenabling the keyboard cache.
Finally, check the minimum required SDK version in the Android Manifest (android:minSdkVersion) since it must support the used constants (for example, Android SDK version 11 is required for textWebPassword). Otherwise, the compiled app would not honor the used input type constants allowing keyboard caching.
Dynamic Analysis¶
Start the app and click in the input fields that take sensitive data. If strings are suggested, the keyboard cache has not been disabled for these fields.