Skip to main content

Android Keyboard Cache

Keyboard caching is more complex on Android than it is on iOS. There is no centrally located file where the cache is stored, and Android allows you to install custom keyboards on a per app basis if desired. Most apps will ship using the standard “GBoard” keyboard which is the default on the device. If the app embeds its own keyboard, then you will most likely discover that during the Static Analysis phase when reviewing the app files on the device.

There are a couple of locations on an Android device where we can look for the standard keyboard cache:

  • User Dictionary: /data/data/com.android.providers.userdictionary/databases/user_dict.db

  • Input Method: /data/data/com.google.android.inputmethod.latin/

    • files/personal/userhistory/UserHistory.en_US.dict
    • files/personal/ Personal.en_US.dict

While these files can be reviewed on a rooted device, and they should be on every test, Android also stores all Activities (views) as XML files in the APK. We can easily review these configurations to see if any text field or editor is set to cache words.

Check Text Input Configuration

To check if keyboard caching has been disabled, you can review the XML file configuration. These are typically located in the “res/layout” directory from apktool. If the text field in the app has “hint” text, then it is easy to find the correct configuration. For instance, if it is a password and has the hint text of Password in the text field:

% grep -riE 'android:hint="Password"' .
./layout/activity_main.xml:    <EditText android:id="@id/textPassword" android:layout_width="473.0dip" android:layout_height="56.0dip" android:hint="Password" android:ems="10" android:password="true" android:singleLine="true" android:inputType="textPassword" />

In this example, they have set the android:password=true parameter and the android:inputType=textPassword parameter is set. These parameters will prevent the text input from being cached.

If any of the text fields have “textAutoCorrect” or “textAutoComplete” there is a possibility that those text fields will cache data.

Check the Input Files

There are a couple of locations on an Android device where we can look for the standard keyboard cache:

  • User Dictionary: /data/data/com.android.providers.userdictionary/databases/user_dict.db

  • Input Method: /data/data/com.google.android.inputmethod.latin/

    • files/personal/userhistory/UserHistory.en_US.dict
    • files/personal/ Personal.en_US.dict

The User Dictionary is an SQLite database. To open and query the database:

sunfish:/data/data/com.android.providers.userdictionary/databases # sqlite3 user_dict.db                                                             
SQLite version 3.27.2 2019-02-25 16:06:06
Enter ".help" for usage hints.
sqlite> .tables
android_metadata  words           
sqlite> select * from words;
1|Passw0rd1|250|en_US|0|
sqlite> .exit

The .dict files are not database files, but are “data” so you will need to use the strings command to review them:

sunfish:/data/data/com.google.android.inputmethod.latin/files/personal/userhistory # strings UserHistory.en_US.dict

0$>a
We love Marisa.
Passw0rd1

References

https://developer.android.com/reference/android/text/InputType

https://developer.android.com/reference/android/widget/TextView