Data Class – Masking Sensitive Data by Default Sensitive<T> Here’s our very own data-masking tool. When a data field itself contains some sensitive value, it should be encapsulated within the below data class to achieve by default. Since the method is overridden, , its . Access to sensitive or restricted information is controlled this way, reminding the developers not expose one. Below is a data-masking example class written in Kotlin: data obfuscation toString() where “masked” is always returned actual value can’t be printed out unless explicitly requested ( : T) { = : T = } data < > class Sensitive T private val data override fun toString () "masked" fun getSensitive () data A hint – some programming languages support memory erasure, you may want to implement a function with that. clear() Here’s an example data class User where three of its properties are considered sensitive, which hence needs data masking with : Sensitive<T> ( name: Sensitive<String>, email: Sensitive<String>, cardLast4: Sensitive<String>, username: String
) data class User val val val val Below is a demo on masking with : Sensitive<T> ( : T) { = : T = } ( name: Sensitive<String>, email: Sensitive<String>, cardLast4: Sensitive<String>, username: String
) { user = User(
        Sensitive( ), 
        Sensitive( ), 
        Sensitive( ), )
    println(user)
    println(user.name.getSensitive())
} data < > class Sensitive T private val data override fun toString () "masked" fun getSensitive () data data class User val val val val fun main () val "Elliot" "elliot@oursky.com" "1234" "elliot" An interactive code snippet is available , try to run it! The result should be: here User(name=masked, email=masked, cardLast4=masked, username=elliot)
Elliot Explicit Request on Sensitive Data In cases where a developer really has to obtain a sensitive data field, they can do so by calling the function from the data class . Such operation is intentionally designed to be so the developer will need to think twice before impetuously printing PII to the console. getSensitive() Sensitive<T> inconvenient Track Exposed Sensitive Data To visualize which part(s) of code explicitly requested to expose sensitive data, type the following command in your terminal: grep grep -nR getSensitive . This can be to conduct auto security checks on exposed sensitive data. effortlessly integrated into a CI pipeline Disable Screenshot and Background Preview when Handling Sensitive Information Thorough understandings of behaviours of the underlying operating system is also essential to a secure development cycle. While we may have PII data hidden by sensitive filters in the code and log console, it’s still possible that the sensitive data value is shown on the UI. Make sure to disable screenshot ability and background preview on such screens. Android – Disable Screenshot .setFlags(WindowManager.LayoutParams.FLAG_SECURE,
                WindowManager.LayoutParams.FLAG_SECURE) window Android – Hide Sensitive Screen on Recent Apps List This covers the logic in lifecycle and to hide an app’s screen from the Recent Apps List on Android. It may not work on older Android versions (i.e., pre-Android 8/Oreo), so you may have to opt for more robust measures like setting in your manifest, or self-replacing the screen with a black image temporarily. StackOverflow post onPause() onResume() android:excludeFromRecents="true" iOS – Replace Task Switcher Thumbnail This covers how to hide sensitive information from the Task Switcher preview. document This article is an excerpt from my article . "Data Masking and Handling to Minimize Sensitive Data Exposure" Previously published at https://code.oursky.com/data-masking-and-handling-to-minimize-sensitive-data-exposure/

Too Long; Didn't Read

Making security fun one episode at a time

How To Code To Prevent Sensitive Data Exposure

Too Long; Didn't Read

Oursky

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

How To Code To Prevent Sensitive Data Exposure

Too Long; Didn't Read

Oursky

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES