2

Currently, I’m creating a new SDK that contains sensitive fields that shouldn’t be read by the consumers (Think Credit Card Number field) and I’m using Jetpack Compose to create the forms, my question is, is it possible to do a reflection on Jetpack Compose, compromise the user privacy and read their credit card numbers for example?

I tried reading declared fields / declared methods via reflection but didn’t find anything important that’s possible to compromise are there any other ways to do this or to prevent this from happening?

Mahmoud Elshamy
  • 578
  • 1
  • 5
  • 13
  • What is the actual API surface of your SDK? For example, is your form contained in a dedicated activity, your composables are in that activity, and consumers of your SDK start the activity? – CommonsWare Nov 13 '22 at 23:41
  • @CommonsWare It's an SDK that shows some forms to the user to collect some information like payment info and some personal info, The consumers will start a specific activity that contains the composables and they will receive results once the user finished this activity – Mahmoud Elshamy Nov 14 '22 at 06:23

1 Answers1

4

The consumers will start a specific activity that contains the composables and they will receive results once the user finished this activity

For your specific concern, this is the best possible implementation for an in-app SDK that has its own UI. It is theoretically possible for a developer to obtain the credit card number being collected by your TextField(), BasicTextField(), or other composable. However, it would be even easier for them to obtain the credit card number from an EditText, so your use of Compose UI is, if anything, improving your position.

Basically, so long as you have the UI in the consumer's app, there will be some way to get at that UI and its contents.

CommonsWare
  • 986,068
  • 189
  • 2,389
  • 2,491
  • Is there a way to prevent this from happening or make it difficult? Or do you know what's the best way to resolve this issue? – Mahmoud Elshamy Nov 14 '22 at 11:57
  • 1
    @MahmoudElshamy: "Is there a way to prevent this from happening or make it difficult?" -- do not publish the SDK. Or, do not have the SDK collect this information via a UI. – CommonsWare Nov 14 '22 at 12:55