-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathAndroidSensitiveTextField.qhelp
More file actions
38 lines (31 loc) · 1.22 KB
/
AndroidSensitiveTextField.qhelp
File metadata and controls
38 lines (31 loc) · 1.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Sensitive information such as passwords should not be displayed in UI components unless explicitly required, to mitigate shoulder-surfing attacks.
</p>
</overview>
<recommendation>
<p>
For editable text fields containing sensitive information, the <code>inputType</code> should be set to <code>textPassword</code> or similar to ensure it is properly masked.
Otherwise, sensitive data that must be displayed should be hidden by default, and only revealed based on an explicit user action.
</p>
</recommendation>
<example>
<p>
In the following (bad) case, sensitive information in <code>password</code> is exposed to the <code>TextView</code>.
</p>
<sample src="AndroidSensitiveTextBad.java"/>
<p>
In the following (good) case, the user must press a button to reveal sensitive information.
</p>
<sample src="AndroidSensitiveTextGood.java"/>
</example>
<references>
<li>
OWASP Mobile Application Security: <a href="https://mas.owasp.org/MASTG/Android/0x05d-Testing-Data-Storage/#ui-components">Android Data Storage - UI Components</a>
</li>
</references>
</qhelp>