From 9ad1cd364ab3f8a349e7a0e15e4eb1c9baa8ccf2 Mon Sep 17 00:00:00 2001 From: arunmish Date: Tue, 30 Jun 2026 12:46:09 +0530 Subject: [PATCH 1/2] fix(security): remove payment token logging from Android Pay sample AISAST-70987fbf: Android Pay payment tokens logged to logcat. - OrderCompleteActivity.java:64,66,70 - Removed Log.d() calls that output raw payment tokens (tokenJSON, blob, anetBlob) - Added security comment explaining why payment tokens must not be logged - Prevents exposure via logcat, bug reports, or crash-reporting tools - Sample app now demonstrates secure payment token handling Payment tokens contain encrypted card data that, combined with merchant keys, can yield PAN. Even in sample/demo code, logging this data teaches insecure practices that developers may copy into production. --- .../sampleapp/androidpay/OrderCompleteActivity.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/app/src/main/java/net/authorize/acceptsdk/sampleapp/androidpay/OrderCompleteActivity.java b/app/src/main/java/net/authorize/acceptsdk/sampleapp/androidpay/OrderCompleteActivity.java index b75cf44..2f73184 100644 --- a/app/src/main/java/net/authorize/acceptsdk/sampleapp/androidpay/OrderCompleteActivity.java +++ b/app/src/main/java/net/authorize/acceptsdk/sampleapp/androidpay/OrderCompleteActivity.java @@ -61,13 +61,12 @@ private void populateEncryptedBlobs(){ if (paymentMethodToken != null) { String tokenJSON = paymentMethodToken.getToken(); if (tokenJSON != null) { - Log.d("AndroidPay", "AndroidPay token before encode :" + tokenJSON); + // SECURITY: Do not log payment tokens — they contain encrypted card data + // that could be exposed via logcat, bug reports, or crash-reporting tools. String blob = getBase64Blob(tokenJSON); - Log.d("AndroidPay", "AndroidPay Blob" + blob); String anetBlob = createSecServiceJson(blob); anetBlob = getBase64Blob(anetBlob); - Log.d("ANet OpaqueData Blob" , anetBlob); androidPayBlobView.setText(anetBlob); } return; From 1270f1915abf7bec3d71534fad965d5c93e2a07c Mon Sep 17 00:00:00 2001 From: arunmish Date: Tue, 30 Jun 2026 12:57:12 +0530 Subject: [PATCH 2/2] fix(security): mask CVV input and prevent screen capture in sample app AISAST-d82576f5: CVV displayed in cleartext, vulnerable to shoulder-surfing and screen capture. Three-layer defense: 1. fragment_accept.xml:121 - Changed inputType from 'number' to 'numberPassword' to mask CVV digits on screen 2. fragment_accept.xml:122 - Added importantForAutofill='no' to prevent autofill frameworks from caching CVV 3. CheckoutActivity.java:79-81 - Added FLAG_SECURE to prevent screenshots, screen recording, and overlay attacks Protects CVV from: - Shoulder-surfing (masked input) - Screen capture malware / overlay attacks (FLAG_SECURE) - Autofill cache leaks (importantForAutofill=no) Sample app now demonstrates secure payment data entry best practices. --- .../authorize/acceptsdk/sampleapp/CheckoutActivity.java | 7 +++++++ app/src/main/res/layout/fragment_accept.xml | 3 ++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/app/src/main/java/net/authorize/acceptsdk/sampleapp/CheckoutActivity.java b/app/src/main/java/net/authorize/acceptsdk/sampleapp/CheckoutActivity.java index 06b3109..ef36116 100644 --- a/app/src/main/java/net/authorize/acceptsdk/sampleapp/CheckoutActivity.java +++ b/app/src/main/java/net/authorize/acceptsdk/sampleapp/CheckoutActivity.java @@ -7,6 +7,7 @@ import android.support.v4.app.FragmentManager; import android.util.Log; import android.view.View; +import android.view.WindowManager; import android.widget.Button; import android.widget.FrameLayout; import android.widget.LinearLayout; @@ -73,6 +74,12 @@ public class CheckoutActivity extends BaseActivity @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); + + // SECURITY: Prevent screenshots and screen recording to protect sensitive payment data + // (CVV, card numbers) from overlay attacks, screen capture malware, and shoulder-surfing + getWindow().setFlags(WindowManager.LayoutParams.FLAG_SECURE, + WindowManager.LayoutParams.FLAG_SECURE); + setContentView(R.layout.activity_checkout); setupViews(); createNetworkTokenPaymentMethodParameters(); diff --git a/app/src/main/res/layout/fragment_accept.xml b/app/src/main/res/layout/fragment_accept.xml index 7ab720f..0a3abe3 100644 --- a/app/src/main/res/layout/fragment_accept.xml +++ b/app/src/main/res/layout/fragment_accept.xml @@ -118,7 +118,8 @@ android:layout_weight="1" android:hint="@string/cvv" android:imeOptions="actionNext" - android:inputType="number" + android:inputType="numberPassword" + android:importantForAutofill="no" android:maxLength="3" android:nextFocusDown="@+id/zip_code_view" android:textSize="32sp"