A password need not be viewable to its owner, and must not be viewable to others. If a password is displayed, anyone in the vicinity could see and use it to compromise the system. In computer security, shoulder surfing refers to using direct observation techniques, such as looking over someone's shoulder, to get information. Shoulder surfing is particularly effective in crowded, public environments.This threat particularly applies to mobile devices, which are generally intended for use in all environments, both private or public.
[1] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A6 Information Leakage and Improper Error Handling
[2] Android Developers-Reference: EditText
[3] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[4] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 359
[5] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Information Leakage
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.4
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.6, Requirement 8.4
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.4