Skip to content
This repository was archived by the owner on Nov 15, 2022. It is now read-only.

Android - Background Screenshot Available [Security] #41

Open
clviper opened this issue Aug 28, 2020 · 3 comments
Open

Android - Background Screenshot Available [Security] #41

clviper opened this issue Aug 28, 2020 · 3 comments

Comments

@clviper
Copy link

clviper commented Aug 28, 2020

The application is disclosing information of the last Activity shown when it is put in background.

It is possible to see this information when the user opens the list of background apps:

Screenshot_20200828-165227_Trebuchet

Due to the possible sensitive information that might be shown, this should be implement.
@clviper
Copy link
Author

clviper commented Aug 28, 2020

Mitigation: Activate the flag FLAG_SECURE on all Activities.

@djcouto
Copy link
Member

djcouto commented Sep 25, 2020

Hello @clviper 👋

TL;DR: We are adding a protector screen for iOS on PR #71, but unfortunately on Android, this cannot be achieved without impairing the user experience and support.

Thank you for calling our attention to this problem. This is a tricky question which has already been discussed on the German-App. Note that at some point this flag was added but it was recently removed.

Since this is a cross-platform app, and the issue that you are pointing out is related to both platforms, I’ll reply to each one separately.

On iOS, this change is straightforward, we simply detect before the app goes inactive and then open a protector screen, which will be closed when it becomes active again. Note that this is already on progress on PR #71.

On Android, this is not easily achievable as you can see in this (issue)[https://stackoverflow.com/questions/43274289/android-customizing-recent-apps-thumbnail-screenshot-by-default]. Since we don’t have a way to know when the OS will take the app screenshot, we cannot prevent it from capture sensitive data. What we could do is to add a “FLAG_SECURE” which will prevent the OS from taking screenshots, resulting in a blank screen on the overview panel. Unfortunately, this will also not permit the user from taking any screenshots while using the app which has shown to be useful for bugs report and team support.

Taking the example of the GermanApp we decided we will not solve this until there is a better way to this on Android.

@marado
Copy link
Contributor

marado commented Sep 26, 2020

A solution for the German app exists, currently waiting for a rebase (but the approach is there):
corona-warn-app/cwa-app-android#619

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@marado @clviper @djcouto