search

OWASP / owasp-mastg

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).
https://mas.owasp.org/
Creative Commons Attribution Share Alike 4.0 International
11.57k stars 2.29k forks source link

Screen mirroring detection #1145

Closed galapogos closed 4 years ago

galapogos commented 5 years ago

Platform: iOS, Android Description: I think there should be a testcase for detection of screen mirroring, as users could inadvertently be displaying sensitive information to another screen, especially wirelessly via RATs.

commjoen commented 5 years ago

@galapogos that sounds like a cool idea! But how can you detect that?

galapogos commented 5 years ago

@commjoen there are several ways. In Android, the best way I know of is to check DisplayManager.getDisplays(), and see if it's >1. If so, there's more than 1 screen, which indicates that screen mirroring is running.

commjoen commented 5 years ago

Sounds like a nice departure point! Still wondering a bit where it could tie in given the masvs requirements :). And is there a way for iOS to detect this?

galapogos commented 5 years ago

I have not tried on iOS, but a quick google search would suggest that it's possible - https://developer.apple.com/documentation/uikit/uiscreen/1617829-mirrored It might be a new item under "Data Storage and Privacy", similar to 2.9. I think should apply only to Level 2.

commjoen commented 4 years ago

We (@cpholguera and me ) have been thinking about this and screen mirroring requires a user to actively say "yes" to mirror his screen. It always requires OS level interaction. Unlike overlay attacks, at which the user does not have to be warned, screen mirroring is based on sessions which actively require user interaction. Therefore we think the benefit of having these checks and requirements does not outweigh the risk of showing something inadvertently after giving consent or starting the action to share a screen.

eybisi commented 3 years ago

Well RATs get Accessibiltiy permission and automatically press Yes to popup without user interaction.

balainvoid commented 9 months ago

@commjoen there are several ways. In Android, the best way I know of is to check DisplayManager.getDisplays(), and see if it's >1. If so, there's more than 1 screen, which indicates that screen mirroring is running.

@galapogos can you tell what other ways are there ?

masterashu commented 9 months ago

@commjoen there are several ways. In Android, the best way I know of is to check DisplayManager.getDisplays(), and see if it's >1. If so, there's more than 1 screen, which indicates that screen mirroring is running.

Wont it cause issues in foldable/dual screen devices?

nthieu90official commented 6 months ago

@commjoen there are several ways. In Android, the best way I know of is to check DisplayManager.getDisplays(), and see if it's >1. If so, there's more than 1 screen, which indicates that screen mirroring is running.

@galapogos getDisplays did not return Virtual displays that was created for screen mirroring. So can not use it to check.