• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Android Screen Capture Vulnerabilities

November 25, 2019 By Emil Hozan

Screenshots are a fundamental feature of mobile devices, and rightfully so in my opinion at least. I’d much rather screenshot something (such as memes, written text, and the like) than download media from external servers holding whatever metadata. However, there have also been instances of wanting to screenshot rather sensitive information but not being permitted to, such as within banking apps. I wasn’t sure why this was, and now I know so I am going to share it, too – along with some concerns with this feature.

Security researcher Lorenzo Stella previously wrote about some startling discoveries in his continued investigation of a previous researcher’s work. This research consisted of capturing screens containing sensitive information despite the FLAG_SECURE flag being enabled (I’ll touch on that in a bit). Stella’s research resulted in the capturing of sensitive information from various password management apps.

In order to prevent such window / screen captures, the FLAG_SECURE flag is used and attached to corresponding windows. Though this flag prevents the associated window from being captured, it is only useful on a screen-by-screen basis. So just because this flag is set on one window, not all windows in your app are protected. Skipping the technicalities behind how APIs work together, when other APIs are used (such as Toast and PopupWindow), not all respect this flag. If that doesn’t make sense, don’t worry, I don’t blame you. There’s a proof-of-concept video in Stella’s link that I urge you to watch. In essence, however, these other APIs don’t prevent the content being passed to it from being captured even if the content has the FLAG_SECURE flag. The example proof-of-concept video depicts password management apps’ hidden content being displayed in Android’s Toast API (an API that displays content on a user’s screen).

Stella tested against four different mobile password manager applications and reported his newfound discoveries to each company respectively. That’s a good thing but there is also a concern in this for other app developers that may not know how to appropriately apply this flag to all screens displaying sensitive information. Needless to say, that’s why users must be careful what apps they install and from where they obtain said apps.

Share This:

Related

Filed Under: Editorial Articles Tagged With: android security, screen capture

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Here Come The Regulations
  • Successfully Prosecuting a Russian Hacker

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use