Skip to content

Tag: flaw

Android Flaw: cloning content

How to reproduce:

1. An application with a bunch of EditText.
2. Go to setup and change the locale of Android.
3. Back to the application.

Expected behavior

Locale changed and input values are the same.

Observed behavior

Input values from the last EditText is copied to all others. Even if it’s a password sensitive EditText.



	
	
	
	

Variations:
1. Same behavior in a EditText with default TransformationMethod.
2. DatePicker and TimePicker have strange behaviors too. They lose what I was writing on them but they don’t copy content.
3. The behavior was first noticed on the internal component NumberPicker and after that tested on EditText.

Malicious usage scenario:
Someone is filling user/password form in a application, go to the bathroom and forget the phone over a table. Other one gets it, use the flaw and read the user secret password.

Possible cause:
When locale is changed and you enter again in a application, it has to be destroyed and created but somehow old values are filled again. Probably the routine that cares about writing i18n details such orientation (left-to-right/right-to-left) has a bug.

Affected versions:

  • Android 1.6, tested on 2 devices and emulator.
  • Android 2.0, tested on device.
  • Certainly all versions between them and I guess 2.1 also.

Thanks to Diego Almeida who first noticed that behavior on NumberPicker. :]

Update: I filled a issue on Android project. Seems that they know about that behavior and the workaround is to put android:id properties on elements. The problem persists on NumberPicker even when using android:id on them! In fact, is my real problem.