Skip to content

Month: April 2010

Android Flaw: cloning content

How to reproduce:

1. An application with a bunch of EditText.
2. Go to setup and change the locale of Android.
3. Back to the application.

Expected behavior

Locale changed and input values are the same.

Observed behavior

Input values from the last EditText is copied to all others. Even if it’s a password sensitive EditText.


1. Same behavior in a EditText with default TransformationMethod.
2. DatePicker and TimePicker have strange behaviors too. They lose what I was writing on them but they don’t copy content.
3. The behavior was first noticed on the internal component NumberPicker and after that tested on EditText.

Malicious usage scenario:
Someone is filling user/password form in a application, go to the bathroom and forget the phone over a table. Other one gets it, use the flaw and read the user secret password.

Possible cause:
When locale is changed and you enter again in a application, it has to be destroyed and created but somehow old values are filled again. Probably the routine that cares about writing i18n details such orientation (left-to-right/right-to-left) has a bug.

Affected versions:

  • Android 1.6, tested on 2 devices and emulator.
  • Android 2.0, tested on device.
  • Certainly all versions between them and I guess 2.1 also.

Thanks to Diego Almeida who first noticed that behavior on NumberPicker. :]

Update: I filled a issue on Android project. Seems that they know about that behavior and the workaround is to put android:id properties on elements. The problem persists on NumberPicker even when using android:id on them! In fact, is my real problem.

Java: invoking a method by name

import java.lang.reflect.*;

public class Foo {
	public void bar(int param){

	public static void main(String args[]){
		Object f = new Foo();
		try {
			Method m = f.getClass().getMethod("bar", int.class);
			m.invoke(f, 42);
		} catch (Exception e){


$ java Foo

Android: acessing internal resoures

a new android I just drew. source-code: android_look.svg. CC-BY-SA as usual.

You can acess internal Android resources such strings, drawables, layouts and others. For example, if you need to create a button with the text “Cancel” you can do:

Using this you are using the internal resource for “Cancel” in that Android and all its i18n. Using the same logic you can access drawables, layouts, etc.