search

element-hq / element-android

A Matrix collaboration client for Android.
https://element.io/
Apache License 2.0
3.31k stars 702 forks source link

Leak of communication content in Recent apps and during animations without providing pin #8143

Open keeper772 opened 1 year ago

keeper772 commented 1 year ago

Steps to reproduce

  1. Set up pin
  2. Open conversation
  3. Press home button on nav bar
  4. Lock screen
  5. Unlock screen
  6. Press Recent button on nav bar
  7. You can see last conversation content without providing pin

obraz

Another way

  1. Do steps 1-5
  2. Press on app icon
  3. During animation of filling whole screen, content of last convo is visible, just before asking for pin ( I recommend record screen and watch it in slow motion)

obraz

Yet another way

  1. Set up pin
  2. Open conversation
  3. Lock screen
  4. Unlock screen Again, just before pin prompt shows, conversation is visible for very short period of time. Try record with other phone/camera and play in slow motion

Outcome

What did you expect?

Protect conversation content with pin.

What happened instead?

Aapp leaks conversation content in specific situations without providing a pin

Your phone model

pixel 5

Operating system version

Android 13 (CalyxOS)

Application version and app store

Element 1.5.25, Aurora store 4.1.1

Homeserver

matrix.org

Will you send logs?

No

Are you willing to provide a PR?

No

bmarty commented 1 year ago

For the first point: to prevent the app content from being visible when switching between apps, you can enable the setting flag Prevent screenshots of the application in Settings/Security & Privacy. You will have to restart the app for this to take effect. I agree that the wording could mention this, instead of talking about the technical FLAG_SECURE.

For the second point:

just before pin prompt shows, conversation is visible for very short period of time

I am not sure what we can do about that. Maybe ensure that there is no animation when we display the pin prompt.

Also, just to let you know, there is a default grace period of 2 minutes - that you can disable in the settings at Settings/Security & Privacy/Protect access/RequirePIN after 2 minutes.

keeper772 commented 1 year ago

@bmarty don't you think that FLAG_SECURE should be enabled by default? You misunderstood me in second case. After locking screen, app always requires pin, but when pin prompt is showed, conversation is visible for like 0.1 second. I think it is still animation issue.