Learning Objectives
To understand the fundamental concepts of unintended data leakages from the clipboard.
To understand the basic defensive practice skills against unintended data leakages from the clipboard that may provide avenue of attack for malicious attacks in mobile software development.
Unintended data leakage occurs when a mobile developer inadvertently leaves sensitive data in insecure place, such as cache memory and unprotected files on mobile devices, that may be easily accessed by malware. Typically, these side-effects originate from the underlying mobile device's operating system. This is a common and prevalent mobile vulnerability in any mobile program developed by developers who lack the knowledge of the side-channel data leakage for data leakage.
Actually, it is easy to detect data leakage by inspecting all mobile device locations that are accessible to all applications and looking for the application's sensitive data.
The most common mobile unintended data leakage vulnerabilities are seen in the clipboard buffer, logging files, browser cookie, and any caching. On Android, the clipboard can be accessed by any application. For the Copy/Paste clipboard buffer in Android, we can eliminate such options to avoid data exposure. It is best to avoid handling sensitive data with Copy/Paste if possible, however if it cannot be avoided, the developer should clear the buffer once the data is used. Another option is for the developer to use the secured areas with cryptographic encryption for Copy and decryption for Paste.