...
- Caching web application data may result in URL histories, HTTP headers, HTML form inputs, cookies and other web-based data being revealed, see 2. Avoid caching app data.
- Words entered by a user via the keyboard are stored in the Android user dictionary for future auto-correction. The user dictionary is available to any app without requiring any permission and this could lead to sensitive data being leaked, see 15. Be aware of the keyboard cache.
- Apps may cache camera images which remain available after the app has finished, see 29. Android: avoid storing cached camera images.
- Application screens are retained in memory enabling transaction histories to be viewed by anyone with access to the device who can directly launch the transaction view activity, see: 30. Android: Avoid GUI objects caching.
Furthermore, [Android Security] section Using WebView says:
If your application accesses sensitive data with a
WebView, you may want to use theclearCache()method to delete any files stored locally. Server-side headers likeno-cachecan also be used to indicate that an application should not cache particular content.
[This rule may require four or five NCCE/CS pairs.]
Noncompliant Code Example
...