Screenshots are a fundamental feature of mobile devices, and rightfully so in my opinion at least. I’d much rather screenshot something (such as memes, written text, and the like) than download media from external servers holding whatever metadata. However, there have also been instances of wanting to screenshot rather sensitive information but not being permitted to, such as within banking apps. I wasn’t sure why this was, and now I know so I am going to share it, too – along with some concerns with this feature.
Security researcher Lorenzo Stella previously wrote about some startling discoveries in his continued investigation of a previous researcher’s work. This research consisted of capturing screens containing sensitive information despite the FLAG_SECURE flag being enabled (I’ll touch on that in a bit). Stella’s research resulted in the capturing of sensitive information from various password management apps.
In order to prevent such window / screen captures, the FLAG_SECURE flag is used and attached to corresponding windows. Though this flag prevents the associated window from being captured, it is only useful on a screen-by-screen basis. So just because this flag is set on one window, not all windows in your app are protected. Skipping the technicalities behind how APIs work together, when other APIs are used (such as Toast and PopupWindow), not all respect this flag. If that doesn’t make sense, don’t worry, I don’t blame you. There’s a proof-of-concept video in Stella’s link that I urge you to watch. In essence, however, these other APIs don’t prevent the content being passed to it from being captured even if the content has the FLAG_SECURE flag. The example proof-of-concept video depicts password management apps’ hidden content being displayed in Android’s Toast API (an API that displays content on a user’s screen).
Stella tested against four different mobile password manager applications and reported his newfound discoveries to each company respectively. That’s a good thing but there is also a concern in this for other app developers that may not know how to appropriately apply this flag to all screens displaying sensitive information. Needless to say, that’s why users must be careful what apps they install and from where they obtain said apps.
Leave a Reply