This rule was developed in part by Beriwan Salamat Ravandi at the October 20-22, 2017 OurCS Workshop (http://www.cs.cmu.edu/ourcs/register.html). For more information about this statement, see the About the OurCS Workshop page.
Information that is cached may become accessible to other applications, and certainly becomes accessible if the device is found or stolen by a third party.
viaForensics [viaForensics 2014] warns of four situations where caching information may lead to sensitive data being leaked:
Furthermore, [Android Security] section Using WebView says:
If your application accesses sensitive data with a
WebView, you may want to use the
clearCache()method to delete any files stored locally. Server-side headers like
no-cachecan also be used to indicate that an application should not cache particular content.
[This rule may require four or five NCCE/CS pairs.]
This noncompliant code example shows an application that caches sensitive information.
Another application could access the cache, thereby revealing the sensitive information.
In this compliant solution the sensitive information is not cached.
Caching sensitive information may result in the information becoming accessible.
It is not possible to automatically detect all situations when sensitive information may be cached.
|[Android Security]||Using WebView|
|[Android API 2013]|