Open OmlineEditor opened 1 year ago
For better security:
in our country, they require the use of SMS for the second factor and there are no alternatives for many applications and services at all.
I'm fairly sure any app cannot simply "take a screenshot." They need certain permissions, I believe including "Display over other apps" and/or Accessibility permissions. Of course, this could be accomplished even more easily with the "Manage SMS" or "Read notifications" permissions.
So, why are you granting these high-level permissions to apps you think are going to steal, of all things, your one-time 2FA codes?
Android has all the built-in security necessary to avoid this issue. If you're handing out app permissions and opening up new vulnerabilities, that's a user choice.
To access a screenshot of the screen, no permissions are required at all. Over windows is not required, the vulnerability problem remains. Android now has no protection against interception of images from the screen through a screenshot, I tested it on the application by recording the screen.
Good news is, that's not true. Screen recording is a built-in android function; it's not something any old app can do. It requires certain permissions. You can read more about it here: https://source.android.com/docs/core/permissions/restricted-screen-reading The bottom line remains, don't grant extensive privileges to untrusted apps.
The bad news is that this is only from the 10th version of android. Up to and including version 9, any application can access the screen. A lot of devices have an android version up to and including 9. The vulnerability remains, it is better to fix it. Moreover, many users are inexperienced and do not understand which permissions can be given and which are not.
DESCRIPTION
now many services require two-factor authentication, for this they send SMS codes. other programs that do not have access to SMS can intercept the code when the user opens the application and looks at what came for the SMS. any other application can easily take a screenshot and find out the code from the SMS.
STEPS
EXPECTED
in the application settings, you need to add the option to prohibit taking screenshots for QKSMS you can see how this is implemented in the application https://github.com/Kunzisoft/KeePassDX
OBSERVATIONS
currently there is no such setting to increase security.