Tips for testing OWASP MSTG-STORAGE-5

MSTG-STORAGE-5 states right now:


When users type in input fields, the software automatically suggests data. This feature can be very useful for messaging apps. However, the keyboard cache may disclose sensitive information when the user selects an input field that takes this type of information.

Static Analysis

In the layout definition of an activity, you can define TextViews that have XML attributes. If the XML attribute android:inputType is given the value textNoSuggestions, the keyboard cache will not be shown when the input field is selected. The user will have to type everything manually.


Source Code Auditing Tip

But… wait. Are you just looking for the string ‘textNoSuggestions’ when doing static analysis? Don’t forget to also look for ‘InputType.TYPE_TEXT_FLAG_NO_SUGGESTIONS‘ as the input type can be changed dynamically from an Activity. If you are only looking at the XML attributes of Layouts, you are missing out apps that dynamically change it..

Patch coming

By the time you read this my patch to the official OWASP MSTG repository clarifying how to detect it with static analysis better is probably merged. However, you could have read it here first.