MASWE-0118: Sensitive Data Not Removed After Use

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Placeholder Weakness

This weakness hasn't been created yet and it's a placeholder. But you can check its status or start working on it yourself. If the issue has not yet been assigned, you can request to be assigned to it and submit a PR with the new content for that weakness by following our guidelines.

Check our GitHub Issues for MASWE-0118

Initial Description or Hints

Applying data minimisation, including appropriate cleanup in the end of the lifecycle is important.

1. Clear web state or prefer non-persistent web stores

2. Android:

   • CookieManager.getInstance().removeAllCookies(ValueCallback<Boolean>)
   • WebStorage.getInstance().deleteAllData()
   • WebViewDatabase.getInstance(context).clearHttpAuthUsernamePassword()

3. iOS:

   • WKWebsiteDataStore.default().removeData(ofTypes: WKWebsiteDataStore.allWebsiteDataTypes(), modifiedSince: Date.distantPast)
   • Use WKWebsiteDataStore.nonPersistent() for private sessions
   • HTTPCookieStorage.shared.removeCookies(since: .distantPast)
   • Use WKHTTPCookieStore for targeted cookie deletion

4. Clear app cache and files

5. Android:

   • context.cacheDir.deleteRecursively()
   • context.filesDir.deleteRecursively()
   • context.deleteDatabase(name) for temporary databases
   • SharedPreferences.edit().clear().apply() to remove tokens or user data

6. iOS:

   • Remove items in NSTemporaryDirectory() and the Caches folder using FileManager.default.removeItem(at:)
   • For Core Data, call NSPersistentStoreCoordinator.destroyPersistentStore(at:ofType:options:) for a full wipe
   • Reset UserDefaults with removePersistentDomain(forName:)

7. Avoid network caches

8. Android:

   • HttpResponseCache.getInstalled()?.delete() for legacy stack
   • For OkHttp: okHttpClient.cache?.evictAll() or disable caching with CacheControl.FORCE_NETWORK

9. iOS:

   • URLCache.shared.removeAllCachedResponses()
   • Disable caching via URLSessionConfiguration.urlCache = nil or set requestCachePolicy = .reloadIgnoringLocalCacheData
   • URLSession.invalidateAndCancel() to clear in-memory session state

   Relevant Topics

   • webview
   • webview-cleanup
   • caches
   • data-minimisation
   • cleanup

   References

   • https://mas.owasp.org/MASTG/knowledge/android/MASVS-PLATFORM/MASTG-KNOW-0018/#webviews-cleanup
   • https://developer.android.com/privacy-and-security/security-tips?hl=en#WebView
   • https://developer.apple.com/documentation/webkit/wkwebsitedatastore

   MASTG v1 Coverage

   No MASTG v1 tests are related to this weakness.

Tests

MASTG-TEST-0320: WebViews Not Cleaning Up Sensitive Data

Best Practices

MASTG-BEST-0028: WebViews Cache Cleanup