Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Port MASTG-TEST-0006 (by @guardsquare) #3055

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Port MASTG-TEST-0006 (by @guardsquare) #3055

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
d9d3836
Port Keyboard Cache
serek8 Nov 7, 2024
a049567
Add deprecation note
serek8 Nov 7, 2024
91c26bf
Apply suggestions from code review
cpholguera Nov 7, 2024
b67cb94
rename file
cpholguera Nov 7, 2024
ea448df
minor edit
cpholguera Nov 7, 2024
13d066c
Bring back the table with XML and code attributes. Describe the diffe…
serek8 Nov 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions tests-beta/android/MASVS-PRIVACY/MASTG-TEST-0x06.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
---
platform: android
title: Sensitive Data Not Excluded From Keyboard Caching
id: MASTG-TEST-0x06
cpholguera marked this conversation as resolved.
Show resolved Hide resolved
type: [static]
cpholguera marked this conversation as resolved.
Show resolved Hide resolved
---

## Overview

This test checks whether your app prevents the caching of sensitive information entered into text fields. The keyboard may suggest previously entered text when typing in your app or other apps on the device. You can disable the caching mechanism for a text input by setting [textNoSuggestions](https://developer.android.com/reference/android/widget/TextView#attr_android:inputType:~:text=the%20performance%20reasons.-,textNoSuggestions,-80001) on it.
cpholguera marked this conversation as resolved.
Show resolved Hide resolved

This test verifies whether your app makes use of `textNoSuggestions` attribute.

Android also prevents the keyboard from caching inputs marked with the following attributes:

- [textPassword](https://developer.android.com/reference/android/widget/TextView#attr_android:inputType)
- [textVisiblePassword](https://developer.android.com/reference/android/widget/TextView#attr_android:inputType:~:text=_URI.-,textVisiblePassword,-91)
- [numberPassword](https://developer.android.com/reference/android/widget/TextView#attr_android:inputType:~:text=_DECIMAL.-,numberPassword,-12)
- [textWebPassword](https://developer.android.com/reference/android/widget/TextView#attr_android:inputType:~:text=_PHONE.-,text,-1)
cpholguera marked this conversation as resolved.
Show resolved Hide resolved

## Steps

1. Run a static analysis tool such as @MASTG-TOOL-0018 or @MASTG-TOOL-0011 on the APK to verify if your app uses `textNoSuggestions` or the `*password` attribute.
cpholguera marked this conversation as resolved.
Show resolved Hide resolved

## Observation

The output should indicate whether the app uses no-caching attributes.

## Evaluation

The test case fails if any of the text fields in your app accepts sensitive data but does not use `textNoSuggestions` or `*password` attribute.
cpholguera marked this conversation as resolved.
Show resolved Hide resolved
2 changes: 2 additions & 0 deletions tests/android/MASVS-STORAGE/MASTG-TEST-0006.md
View file
Open in desktop
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

check below, there's some content that could go in a theory chapter and be referenced from the new test. Also the table is good to have as a table in the theory and it indicates the API levels.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added it for now to the test. Please have a look if it's ok.

Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ title: Determining Whether the Keyboard Cache Is Disabled for Text Input Fields
masvs_v1_levels:
- L1
- L2
status: deprecated
covered_by: [MASTG-TEST-0x06]
cpholguera marked this conversation as resolved.
Show resolved Hide resolved
---

## Overview
Expand Down
Loading