Recipe Name:
Information Exposure: Sensitive information
Description:
Do not send sensitive information or put it on the clipboard
Level:
warning
Language:
  • java
Tags:
  • security
  • framework specific
  • mobile
  • Android
Documentation

Out of best practices and android coding guidelines, recommendations were abstracted which state that no sensitive information should be placed on the ClipBoard.

ClipBoard data is public and accessible to all running apps without any permission requirements or user interaction. Never put sensitive input on the ClipBoard. The guidelines recommend that no ClipData can be instantiated containing sensitive information.

Bad code example
import android.content.ClipData;
import android.content.ClipboardManager;
...
ClipData forbiddenClip = ClipData.newPlainText("MY_APP", "password is myPassword123");
clipboard.setPrimaryClip(forbiddenClip);
Correct code example
import android.content.ClipData;
import android.content.ClipboardManager;
...
ClipData clip = ClipData.newPlainText("MY_APP", "this can not be sensitive info");
clipboard.setPrimaryClip(clip);
Resources
Recipe
id: scw:android:sensitive-data
version: 10
metadata:
  name: 'Information Exposure: Sensitive information'
  shortDescription: Do not send sensitive information or put it on the clipboard
  level: warning
  language: java
  enabled: true
  descriptionFile: descriptions/Information_Exposure__Sensitive_information.html
  tags: security;framework specific;mobile;Android
search:
  methodcall:
    args:
      any:
        value:
          stringified:
            matches: (?i).*([Cc]redit( )?[cC]ard|password|pass|pwd|passwd|[sS][sS][nN]|[cC][cC][nN]|[sS]ocial( )?[sS]ecurity( )?[nN]umber).*
    anyOf:
    - name: putExtra
      type: android.content.Intent
    - name: newPlainText
      type: android.content.ClipData
availableFixes:
- name: Remove the sensitive data
  actions:
  - remove:
      target: self