logo

Database

Java Insecure Storage Sensitive Information

Description

Detects when sensitive information is stored insecurely in Android's system clipboard using ClipboardManager. This is risky because clipboard data can be accessed by any application on the device, potentially exposing sensitive information to malicious apps.

Weakness:

017 - Sensitive information sent insecurely

Category: Information Collection

Detection Strategy

    Check if Android clipboard-related classes (android.content.ClipData and android.content.ClipboardManager) are imported in the code

    Look for calls to setPrimaryClip method on ClipboardManager instances

    Analyze if the data being copied to clipboard contains sensitive information or unsafe content

    Report a vulnerability when sensitive data is being written to the clipboard using setPrimaryClip

Vulnerable code example

import android.content.ClipData;
import android.content.ClipboardManager;
import android.content.Context;

public class UnsafeClipboard {
    public static void copyTokenToClipboard(Context context, String authToken) {
        ClipboardManager clipManager = (ClipboardManager) context.getSystemService(Context.CLIPBOARD_SERVICE);
        ...

✅ Secure code example

import android.content.Context;
import androidx.security.crypto.EncryptedSharedPreferences;
import androidx.security.crypto.MasterKeys;

public class SafeTokenHandler {
    public static void secureTokenStorage(Context context, String authToken) throws Exception {
        // Store sensitive auth token in EncryptedSharedPreferences instead of clipboard
        String masterKeyAlias = MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC);...