Mobile OSes use software keyboards that provide text predictions and suggestions. These keyboards cache text inputs in a local file in order to speed up typing and to recall frequent phrases. When users type sensitive data into a text field where keyboard cache is enabled, the data will be stored in clear-text in a local file. It will keep appearing in the keyboard suggestion list until the cache is cleared.

Why is this an issue?

Keyboard caches are not designed to store sensitive information. Data they contain is not encrypted and can be exposed. In case a backup is performed, the cache file can be included in the backup, which will lead to the password being leakage. When device is shared, other user will see the password in the suggestion list.

How to fix it in Jetpack Compose

Code examples

Noncompliant code example

TextField(
    value = text,
    onValueChange = { text = it },
    label = { Text("Password") },
    visualTransformation = PasswordVisualTransformation(),
    keyboardOptions = KeyboardOptions(keyboardType = KeyboardType.Text) // Noncompliant: keyboard cache is enabled
)

Compliant solution

TextField(
    value = text,
    onValueChange = { text = it },
    label = { Text("Password") },
    visualTransformation = PasswordVisualTransformation(),
    keyboardOptions = KeyboardOptions(keyboardType = KeyboardType.Password)
)

Resources

Documentation

Standards

• OWASP - Mobile Top 10 2024 Category M8 - Security Misconfiguration
• OWASP - Mobile Top 10 2024 Category M9 - Insecure Data Storage
• CWE - CWE-524 - Use of Cache Containing Sensitive Information