search

bpellin / keepassdroid

KeePass implementation for android
http://www.keepassdroid.com
Other
1.38k stars 346 forks source link

FLAG_SECURE fallback? #295

Open gordol opened 6 years ago

gordol commented 6 years ago

Hi all...

Chrome OS supports native Android apps lately...

However, there is an issue when the app is running on an external display: https://bugs.chromium.org/p/chromium/issues/detail?id=791495

I'm savvy enough to have figured this out, but other users may not be, and my be confused...

According to the Android docs here: https://developer.android.com/reference/android/view/Display#FLAG_SECURE

An application can use the absence of this flag as a hint that it should not create secure surfaces or protected buffers on this display because the content may not be visible. For example, if the flag is not set then the application may choose not to show content on this display, show an informative error message, select an alternate content stream or adopt a different strategy for decoding content that does not rely on secure surfaces or protected buffers.

Perhaps the app should show a note to users who are not on a "secure display", instead of just showing a blank box?

yeswap commented 6 years ago

Does KeePassDroid need to use FLAG_SECURE? That flag seems to be mainly intended to keep users from stealing DRM protected content by doing things like recording a Netflix movie on an attached DVR.

I don't see how a physically attached external display is any riskier to KeePassDroid security than the device's built in display. Attaching a monitor requires physical access to the machine and doesn't circumvent the need for an attacker to have the device and keepass login credentials.

gordol commented 6 years ago

To be fair, streaming the display does not require physical access.

yeswap commented 6 years ago

How? You can't connect as external monitor or recording device to an Chromebook or Android device's HDMI or MDL port without physical access. Even wireless access methods tools like Remote Desktop, Team Viewer or All Cast require access to the Android device to enable sharing or casting.

breaks-software commented 5 years ago

@gordol , I gather from the links you provided that this is an issue that might be resolved once ChromeOS provides HDCP support, is that correct? I've got this same problem with my ChromeBox...which of course has no dedicated display. Any workaround for that environment?