Security: Intune Android : Sensitive Content Exposed via Clipboard

[guru2010j]

During our internal security scans, we were notified of the issue below. We would like to ask the Intune SDK team to verify and help us fix it.

Starting with Android 13, the system will display any text that is copied in a popover UI on the user's screen. If the user has copied sensitive content (such as a password), this can lead to sensitive data exposure.

To mitigate this risk factor, Android 13 introduces a new flag, EXTRA_IS_SENSITIVE, that can be applied to data copied to the clipboard. If this flag is applied, the system will treat the data copied to the clipboard as sensitive and will refrain from displaying it on the user's screen.

Therefore, when the App is running on Android 13, it must mark any sensitive content copied to the clipboard as such, to prevent data exposure to attackers in the user's vicinity. Note that this UI applies to any App running on Android 13, and is presented regardless of the App's target API version. Therefore, we recommend that all applications mark sensitive clipboard content as necessary.

Recommendation

If the App copies any sensitive data to the clipboard, mark the data as sensitive to the system to prevent unnecessary data exposure. As this UI is presented on any device running Android 13, regardless of the App's underlying target API version, implement this mitigation even if the App is targeting a lower API version.