Native Android textbox isSecure ... far from it.

Solar2D Android
#1

The Native android Text box when used for passwords has two significant problems. #1 it is caching the passwords in the keyboard keystrokes buffer, so that when you start typing in the password, your password comes up on the screen as a potential word selection.   #2. on some phones the first letter of the password is being capitalized causing great user confusion.  Since I have never seen this on any other android app, I am assuming that the Native.textBox just does not implement this properly on Android.  Any ideas for when this could be fixed?

We are using SDK 2013.1139

#2

I’m seeing this on android too (capitalizing first letter sometimes). Which makes the typed ios password diffrent than the android pw. One solution is to do a  tolower() before saving it off.

Kinda rough to do it now though, since people already have stored pw’s with an uppercase first letter. It’s more complicated for me because I did md5 encryption before sending to the server as well.

#3

Since people often use capitals in passwords, and we have them entering this same password on our web site, I do not think doing a lower will work for us.

Mike

#4

Caching the password is a pretty big issue, if your making an app that deals with money (which i am) i really don’t want anyone else to be able to log in simply by guessing the first letter of the password.

Do you happen to know a way around it? I presume its something Corona would have to fix.

#5

I don’t have any workarounds… CORONA???

#6

Hello Mike,

This is a known problem on some Android devices, but not all… it varies wildly between different Android devices. But at the core, this is a problem with Corona’s native text field code. We’re aware of the issue, but at this time we don’t have an ETA on when it will be fixed.

If you don’t mind, could you (and others in this post, @mpappas and TandG) cast a vote for this in the feedback system? This would help us figure out how many users need this fix, and how soon.

http://feedback.coronalabs.com/forums/

I can also check with the engineers and see if a “simple” fix could be implemented to solve this, while we figure out a more thorough cross-platform solution.

Best regards,

Brent

#7

I don’t have any votes left so i can’t, but surely it would be better to submit this as a bug? 

I don’t mind if its a hack and slash fix where we have to put some extra booleans in, just something in place to disable caching would be great!

#8

I thought the voting system was for features?? Is corona really going to have us start competing to see which bugs get fixed???

#9

Hi Mike,

Good point, I apologize for the mis-statement. If you have this code as part of your project, can you please submit it as a bug report, or post it here so I can file it as an official bug report? I appreciate your help with that if you can provide it.

Sincerely,

Brent Sorrentino

#10

I don’t have a problem putting a bug in, but if this is a know issue why is there not a bug in already? This is a serious security problem and it would be nice to know that Corona was taking it seriously.

Mike

#11

I see in the latest daily this has been fixed! I haven’t had a chance to test it yet but thanks for getting it sorted :slight_smile:

“Android: Setting a text field to isSecure will now show suggestions anymore. Casenum: 22214”

#12

The caching seems to be fixed. I don’t have a device at hand that was doing the first letter Upper case. But it is reasonable to think that this would be fixed as well given how these things work.

Mike

#13

I’m seeing this on android too (capitalizing first letter sometimes). Which makes the typed ios password diffrent than the android pw. One solution is to do a  tolower() before saving it off.

Kinda rough to do it now though, since people already have stored pw’s with an uppercase first letter. It’s more complicated for me because I did md5 encryption before sending to the server as well.

#14

Since people often use capitals in passwords, and we have them entering this same password on our web site, I do not think doing a lower will work for us.

Mike

#15

Caching the password is a pretty big issue, if your making an app that deals with money (which i am) i really don’t want anyone else to be able to log in simply by guessing the first letter of the password.

Do you happen to know a way around it? I presume its something Corona would have to fix.

#16

I don’t have any workarounds… CORONA???

#17

Hello Mike,

This is a known problem on some Android devices, but not all… it varies wildly between different Android devices. But at the core, this is a problem with Corona’s native text field code. We’re aware of the issue, but at this time we don’t have an ETA on when it will be fixed.

If you don’t mind, could you (and others in this post, @mpappas and TandG) cast a vote for this in the feedback system? This would help us figure out how many users need this fix, and how soon.

http://feedback.coronalabs.com/forums/

I can also check with the engineers and see if a “simple” fix could be implemented to solve this, while we figure out a more thorough cross-platform solution.

Best regards,

Brent

#18

I don’t have any votes left so i can’t, but surely it would be better to submit this as a bug? 

I don’t mind if its a hack and slash fix where we have to put some extra booleans in, just something in place to disable caching would be great!

#19

I thought the voting system was for features?? Is corona really going to have us start competing to see which bugs get fixed???

#20

Hi Mike,

Good point, I apologize for the mis-statement. If you have this code as part of your project, can you please submit it as a bug report, or post it here so I can file it as an official bug report? I appreciate your help with that if you can provide it.

Sincerely,

Brent Sorrentino