Recipe Name:
Data Protection - Secure Data Display: Avoid Data Exposure: Use FlagSecureHelper to create toasts
Description:
Could lead to Data Exposure
Level:
error
Language:
  • java
Tags:
  • security
  • framework specific
  • mobile
  • Android
  • Android security set
Documentation

Out of best practices and Android coding guidelines, recommendations were abstracted which state that for UI elements which might contain sensitive information, the FLAG_SECURE flag must be set.

Add the FLAG_SECURE setting to all your activities which handle sensitive information. This will prevent leaks via screenshots or recording software. If you have other UI elements such as a Dialog or a Toast, you can use the FlagSecureHelper library to create a secure version of this element.

Correct code example:
getWindow().setFlags(LayoutParams.FLAG_SECURE, LayoutParams.FLAG_SECURE);
Correct code example (Secure Toasts):
allprojects {
    repositories {
        maven {
            url "https://s3.amazonaws.com/repo.commonsware.com"
        }
    }
}

implementation "com.commonsware.cwac:security:0.8.+"


FlagSecureHelper
    .makeSecureToast(ACTIVITY_OBJECT, "MESSAGE", Toast.LENGTH_LONG)
    .show();
Correct code example (Secure Dialogs):
Dialog dlg = ... // Create your dialog
dlg = FlagSecureHelper.markDialogAsSecure(dlg);
Recipe
id: scw:android:secure-toast
version: 10
metadata:
  name: 'Data Protection - Secure Data Display: Avoid Data Exposure: Use FlagSecureHelper to create toasts'
  shortDescription: Could lead to Data Exposure
  level: error
  language: java
  enabled: true
  comment: ""
  descriptionFile: descriptions/java_android_handle_sensitive_information_in_ui_elements_with_care_use_flag_secure.html
  tags: security;framework specific;mobile;Android;Android security set
search:
  methodcall:
    name: makeText
    type: android.widget.Toast
availableFixes:
- name: Use the FlagSecureHelper library to create a secure toast
  actions:
  - rewrite:
      to: com.commonsware.cwac.security.flagsecure.FlagSecureHelper.makeSecureToast({{{arguments.0}}}, {{{arguments.1}}}, {{{arguments.2}}})
      target: self