Recipe Name:
Data Protection - Secure Data Display: Avoid Data Exposure: Use FlagSecureHelper to create toasts
Description:
Could lead to Data Exposure
Level:
error
Language:
- java
Tags:
- security
- framework specific
- mobile
- Android
- Android security set
Documentation
Out of best practices and Android coding guidelines, recommendations were abstracted which state that for UI elements which might contain sensitive information, the FLAG_SECURE flag must be set.
Add the FLAG_SECURE setting to all your activities which handle sensitive information. This will prevent leaks via screenshots or recording software.
If you have other UI elements such as a Dialog or a Toast, you can use the FlagSecureHelper library to create a secure version of this element.
getWindow().setFlags(LayoutParams.FLAG_SECURE, LayoutParams.FLAG_SECURE);Correct code example (Secure Toasts):
allprojects {
repositories {
maven {
url "https://s3.amazonaws.com/repo.commonsware.com"
}
}
}
implementation "com.commonsware.cwac:security:0.8.+"
FlagSecureHelper
.makeSecureToast(ACTIVITY_OBJECT, "MESSAGE", Toast.LENGTH_LONG)
.show();
Correct code example (Secure Dialogs):
Dialog dlg = ... // Create your dialog dlg = FlagSecureHelper.markDialogAsSecure(dlg);
Recipe
id: scw:android:secure-toast
version: 10
metadata:
name: 'Data Protection - Secure Data Display: Avoid Data Exposure: Use FlagSecureHelper to create toasts'
shortDescription: Could lead to Data Exposure
level: error
language: java
enabled: true
comment: ""
descriptionFile: descriptions/java_android_handle_sensitive_information_in_ui_elements_with_care_use_flag_secure.html
tags: security;framework specific;mobile;Android;Android security set
search:
methodcall:
name: makeText
type: android.widget.Toast
availableFixes:
- name: Use the FlagSecureHelper library to create a secure toast
actions:
- rewrite:
to: com.commonsware.cwac.security.flagsecure.FlagSecureHelper.makeSecureToast({{{arguments.0}}}, {{{arguments.1}}}, {{{arguments.2}}})
target: self