Sensitive information such as passwords should not be displayed in UI components unless explicitly required, to mitigate shoulder-surfing attacks.

For editable text fields containing sensitive information, the inputType should be set to textPassword or similar to ensure it is properly masked. Otherwise, sensitive data that must be displayed should be hidden by default, and only revealed based on an explicit user action.

In the following (bad) case, sensitive information in password is exposed to the TextView.

In the following (good) case, the user must press a button to reveal sensitive information.

OWASP Mobile Application Security: Android Data Storage - UI Components