Recipe Name:
Information Exposure: Do not place sensitive information on ClipBoard
Description:
Never copy sensitive information to the ClipBoard
Level:
info
Language:
  • java
Tags:
  • security
  • framework specific
  • mobile
  • Android
Documentation

Out of best practices and android coding guidelines, recommendations were abstracted which state that no sensitive information should be placed on the ClipBoard.

ClipBoard data is public and accessible to all running apps without any permission requirements or user interaction. Never put sensitive input on the ClipBoard. The guidelines recommend that no ClipData can be instantiated containing sensitive information.

Bad code example
import android.content.ClipData;
import android.content.ClipboardManager;
...
ClipData forbiddenClip = ClipData.newPlainText("MY_APP", "password is myPassword123");
clipboard.setPrimaryClip(forbiddenClip);
Correct code example
import android.content.ClipData;
import android.content.ClipboardManager;
...
ClipData clip = ClipData.newPlainText("MY_APP", "this can not be sensitive info");
clipboard.setPrimaryClip(clip);
Resources
Recipe
id: scw:android:sensitive-data-clipboard
version: 10
metadata:
  name: 'Information Exposure: Do not place sensitive information on ClipBoard'
  shortDescription: Never copy sensitive information to the ClipBoard
  level: info
  language: java
  enabled: true
  descriptionFile: descriptions/Information_Exposure__Sensitive_information.html
  tags: security;framework specific;mobile;Android
search:
  methodcall:
    args:
      any:
        type: java.lang.String
        value:
          stringified: clipboard
    name: getSystemService
    type: android.content.Context
availableFixes: []