CodeQL documentation

Exposure of sensitive information to notifications

ID: java/android/sensitive-notification
Kind: path-problem
Security severity: 6.5
Severity: error
Precision: medium
   - security
   - external/cwe/cwe-200
Query suites:
   - java-security-extended.qls
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

Sensitive information such as passwords or two-factor authentication (2FA) codes should not be exposed in a system notification. Notifications should not be considered secure, as other untrusted applications may be able to use a NotificationListenerService to read the contents of notifications.


Do not expose sensitive data in notifications.


In the following sample, the password is sent as part of a notification. This can allow another application to read this password.

// BAD: `password` is exposed in a notification.
void confirmPassword(String password) {
    NotificationManager manager = NotificationManager.from(this);
        new Notification.Builder(this, CHANNEL_ID)
        .setContentText("Your password is: " + password)


  • © GitHub, Inc.
  • Terms
  • Privacy