Cached form fields
Need
Disable caching and keyboard suggestions for sensitive input fields
Context
• Usage of Android development for mobile applications
• Preventing sensitive input data from being cached or suggested by the keyboard
Description
1. Non compliant code
<EditText
android:id="@+id/inputField"
android:layout_width="match_parent"
android:layout_height="wrap_content"
android:hint="Enter sensitive data" />
<TextView
android:layout_width="match_parent"...In this example, an `EditText` field is used to accept user input but does not specify `android:inputType="textNoSuggestions"`, which means the keyboard may cache and suggest previously entered data. Similarly, `TextView` elements used for user input display may also expose cached values if `android:inputType` is not properly set. Attackers or malicious applications could retrieve cached keyboard inputs, potentially exposing sensitive data like passwords, credit card numbers, or personally identifiable information.
2. Steps
• Open the XML layout file containing input fields.
• Add `android:inputType="textNoSuggestions"` to `EditText` and `TextView` elements.
• Ensure that all user-input or displayed sensitive data fields prevent caching.
• Test the application by verifying that the keyboard does not suggest previously entered data.
3. Secure code example
<EditText
android:id="@+id/inputField"
android:layout_width="match_parent"
android:layout_height="wrap_content"
android:hint="Enter sensitive data"
android:inputType="textNoSuggestions" />
android:id="@+id/outputField"...The secure code ensures that `android:inputType="textNoSuggestions"` is applied to `EditText` and `TextView` elements to prevent caching and keyboard suggestions. This setting disables keyboard learning for these fields, preventing previously entered data from being suggested or cached.
References
• 065. Cached form fields