Recipe Name:
Information Exposure: Do not place sensitive information on ClipBoard
Description:
Never copy sensitive information to the ClipBoard
Level:
info
Language:
- java
Tags:
- security
- framework specific
- mobile
- Android
Documentation
Out of best practices and android coding guidelines, recommendations were abstracted which state that no sensitive information should be placed on the ClipBoard.
ClipBoard data is public and accessible to all running apps without any permission requirements or user interaction. Never put sensitive input on the ClipBoard. The guidelines recommend that no ClipData can be instantiated containing sensitive information.
import android.content.ClipData;
import android.content.ClipboardManager;
...
ClipData forbiddenClip = ClipData.newPlainText("MY_APP", "password is myPassword123");
clipboard.setPrimaryClip(forbiddenClip);
Correct code example
import android.content.ClipData;
import android.content.ClipboardManager;
...
ClipData clip = ClipData.newPlainText("MY_APP", "this can not be sensitive info");
clipboard.setPrimaryClip(clip);
Resources
Recipe
id: scw:android:sensitive-data-clipboard
version: 10
metadata:
name: 'Information Exposure: Do not place sensitive information on ClipBoard'
shortDescription: Never copy sensitive information to the ClipBoard
level: info
language: java
enabled: true
descriptionFile: descriptions/Information_Exposure__Sensitive_information.html
tags: security;framework specific;mobile;Android
search:
methodcall:
args:
any:
type: java.lang.String
value:
stringified: clipboard
name: getSystemService
type: android.content.Context
availableFixes: []