logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Cached form fields - Android

Need

Disable caching and keyboard suggestions for sensitive input fields

Context

  1. Usage of Android development for mobile applications
  2. Preventing sensitive input data from being cached or suggested by the keyboard

Description

Insecure Code Example

<EditText
    android:id="@+id/inputField"
    android:layout_width="match_parent"
    android:layout_height="wrap_content"
    android:hint="Enter sensitive data" />

<TextView
    android:id="@+id/outputField"
    android:layout_width="match_parent"
    android:layout_height="wrap_content"
    android:text="Sensitive data displayed here" />

In this example, an `EditText` field is used to accept user input but does not specify `android:inputType="textNoSuggestions"`, which means the keyboard may cache and suggest previously entered data. Similarly, `TextView` elements used for user input display may also expose cached values if `android:inputType` is not properly set. Attackers or malicious applications could retrieve cached keyboard inputs, potentially exposing sensitive data like passwords, credit card numbers, or personally identifiable information.

Steps

  1. Open the XML layout file containing input fields.
  2. Add `android:inputType="textNoSuggestions"` to `EditText` and `TextView` elements.
  3. Ensure that all user-input or displayed sensitive data fields prevent caching.
  4. Test the application by verifying that the keyboard does not suggest previously entered data.

Secure Code Example

<EditText
    android:id="@+id/inputField"
    android:layout_width="match_parent"
    android:layout_height="wrap_content"
    android:hint="Enter sensitive data"
    android:inputType="textNoSuggestions" />

<TextView
    android:id="@+id/outputField"
    android:layout_width="match_parent"
    android:height="wrap_content"
    android:text="Sensitive data displayed here"
    android:inputType="textNoSuggestions" />

The secure code ensures that `android:inputType="textNoSuggestions"` is applied to `EditText` and `TextView` elements to prevent caching and keyboard suggestions. This setting disables keyboard learning for these fields, preventing previously entered data from being suggested or cached.

References

  • 065 - Cached form fields

    • Last updated

    2025/04/03