Recipe Name:
Information Exposure: Sensitive information
Description:
Do not send sensitive information or put it on the clipboard
Level:
warning
Language:
- java
Tags:
- security
- framework specific
- mobile
- Android
Documentation
Out of best practices and android coding guidelines, recommendations were abstracted which state that no sensitive information should be placed on the ClipBoard.
ClipBoard data is public and accessible to all running apps without any permission requirements or user interaction. Never put sensitive input on the ClipBoard. The guidelines recommend that no ClipData can be instantiated containing sensitive information.
import android.content.ClipData;
import android.content.ClipboardManager;
...
ClipData forbiddenClip = ClipData.newPlainText("MY_APP", "password is myPassword123");
clipboard.setPrimaryClip(forbiddenClip);
Correct code example
import android.content.ClipData;
import android.content.ClipboardManager;
...
ClipData clip = ClipData.newPlainText("MY_APP", "this can not be sensitive info");
clipboard.setPrimaryClip(clip);
Resources
Recipe
id: scw:android:sensitive-data
version: 10
metadata:
name: 'Information Exposure: Sensitive information'
shortDescription: Do not send sensitive information or put it on the clipboard
level: warning
language: java
enabled: true
descriptionFile: descriptions/Information_Exposure__Sensitive_information.html
tags: security;framework specific;mobile;Android
search:
methodcall:
args:
any:
value:
stringified:
matches: (?i).*([Cc]redit( )?[cC]ard|password|pass|pwd|passwd|[sS][sS][nN]|[cC][cC][nN]|[sS]ocial( )?[sS]ecurity( )?[nN]umber).*
anyOf:
- name: putExtra
type: android.content.Intent
- name: newPlainText
type: android.content.ClipData
availableFixes:
- name: Remove the sensitive data
actions:
- remove:
target: self