How To Code To Prevent Sensitive Data Exposure

Data Class

Sensitive<T>

– Masking Sensitive Data by Default

Here’s our very own data-masking tool. When a data field itself contains some sensitive value, it should be encapsulated within the below data class to achieve data obfuscation by default. Since the

toString()

method is overridden, where “masked” is always returned, its actual value can’t be printed out unless explicitly requested. Access to sensitive or restricted information is controlled this way, reminding the developers not expose one. Below is a data-masking example class written in Kotlin:

data class Sensitive<T>(private val data: T) {
  override fun toString() = "masked"
  fun getSensitive(): T = data
}

A hint – some programming languages support memory erasure, you may want to implement a

clear()

function with that.

Here’s an example data class User where three of its properties are considered sensitive, which hence needs data masking with

Sensitive<T>

data class User(
  val name: Sensitive<String>,
  val email: Sensitive<String>,
  val cardLast4: Sensitive<String>,
  val username: String
)

Below is a demo on masking with

Sensitive<T>

data class Sensitive<T>(private val data: T) {
  override fun toString() = "masked"
  fun getSensitive(): T = data
}

data class User(
  val name: Sensitive<String>,
  val email: Sensitive<String>,
  val cardLast4: Sensitive<String>,
  val username: String
)

fun main() {
    val user = User(
        Sensitive("Elliot"), 
        Sensitive("[email protected]"), 
        Sensitive("1234"),
        "elliot"
    )
    println(user)
    println(user.name.getSensitive())
}

An interactive code snippet is available here, try to run it! The result should be:

User(name=masked, email=masked, cardLast4=masked, username=elliot)
Elliot

Explicit Request on Sensitive Data

In cases where a developer really has to obtain a sensitive data field, they can do so by calling the function

getSensitive()

from the data class

Sensitive<T>

. Such operation is intentionally designed to be inconvenient so the developer will need to think twice before impetuously printing PII to the console.

Track Exposed Sensitive Data

To visualize which part(s) of code explicitly requested to expose sensitive data, type the following

grep

command in your terminal:

grep -nR getSensitive .

This can be effortlessly integrated into a CI pipeline to conduct auto security checks on exposed sensitive data.

Disable Screenshot and Background Preview when Handling Sensitive Information

Thorough understandings of behaviours of the underlying operating system is also essential to a secure development cycle.

While we may have PII data hidden by sensitive filters in the code and log console, it’s still possible that the sensitive data value is shown on the UI. Make sure to disable screenshot ability and background preview on such screens.

Android – Disable Screenshot

window.setFlags(WindowManager.LayoutParams.FLAG_SECURE,
                WindowManager.LayoutParams.FLAG_SECURE)

Android – Hide Sensitive Screen on Recent Apps List

This StackOverflow post covers the logic in lifecycle

onPause()

and

onResume()

to hide an app’s screen from the Recent Apps List on Android. It may not work on older Android versions (i.e., pre-Android 8/Oreo), so you may have to opt for more robust measures like setting

android:excludeFromRecents="true"

in your manifest, or self-replacing the screen with a black image temporarily.

iOS – Replace Task Switcher Thumbnail

This document covers how to hide sensitive information from the Task Switcher preview.

This article is an excerpt from my article "Data Masking and Handling to Minimize Sensitive Data Exposure".

Previously published at https://code.oursky.com/data-masking-and-handling-to-minimize-sensitive-data-exposure/