The App does not protect sensitive screens from being displayed in screencasts initiated by third-party Apps. Specifically, the following packages within the App contain vulnerable Activities:
DESCRIPTION
Starting with Android 5.0, Google introduced the android.media.projection API which allows any third-party App to perform screen capture and screen sharing (https://developer.android.com/about/versions/android-5.0.html).
Such an App can capture everything on the device’s screen, including sensitive activity from all other Apps such as password keystrokes, credit card data, etc. The capturing ability remains on even if the user terminates/closes the App, but not after a reboot.
A demo App performing screen capture was developed by Data Theorem's research team and is available at https://www.youtube.com/watch?v=tT1XSoykjtA.
Environment
Android OS Version
above KitKat
Android Devices/Emulators
all
Steps to Reproduce
Static Code Scanning
Expected Result
RECOMMENDATION
Protect all sensitive windows within the App by enabling the FLAG_SECURE flag. This flag will prevent Apps from being able to record the protected windows. Also, the flag will prevent users from taking screenshots of these windows (by pressing the VOLUME_DOWN and POWER buttons). As such screenshots are stored on the SDCard by default, they are accessible to all Apps and sensitive data may be exposed.
SECURE CODE
/ Secure code for protecting one Activity /
public class SecureActivity extends Activity {
// Set the Secure flag for this Window
getWindow().setFlags(LayoutParams.FLAG_SECURE, LayoutParams.FLAG_SECURE);
}
}
However, if the developers want to protect all the screens of their applications from third-party screen capturing and sharing, they need to use this flag in each of the Activities separately. There is no global mechanism to set this flag for all the screens at once. But, one can design their applications in such a way that the FLAG_SECURE needs to be used only once. Below is the code snippet:
/ Define a BaseActivity and set the FLAG_SECURE in that Activity : /
public class BaseActivity extends Activity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
/**
* approach 1: create a base activity and set the FLAG_SECURE in it,
* Extend all other activities, Fragments from this activity
*/
getWindow().setFlags(LayoutParams.FLAG_SECURE,
LayoutParams.FLAG_SECURE);
}
}
Use this BaseActivity as the superclass for all the other Activities.
public class LoginActivity extends BaseActivity
public class MainActivity extends BaseActivity
Screenshots
REGULATORY COMPLIANCE
This issue may be out of compliance with the following laws, policies, and standards:
The problem
The App does not protect sensitive screens from being displayed in screencasts initiated by third-party Apps. Specifically, the following packages within the App contain vulnerable Activities:
AFFECTED CODE com.plaid.internal.link.LinkActivity com.plaid.internal.LinkRedirectActivity
DESCRIPTION Starting with Android 5.0, Google introduced the android.media.projection API which allows any third-party App to perform screen capture and screen sharing (https://developer.android.com/about/versions/android-5.0.html). Such an App can capture everything on the device’s screen, including sensitive activity from all other Apps such as password keystrokes, credit card data, etc. The capturing ability remains on even if the user terminates/closes the App, but not after a reboot. A demo App performing screen capture was developed by Data Theorem's research team and is available at https://www.youtube.com/watch?v=tT1XSoykjtA.
Environment
Steps to Reproduce
Static Code Scanning
Expected Result
RECOMMENDATION Protect all sensitive windows within the App by enabling the FLAG_SECURE flag. This flag will prevent Apps from being able to record the protected windows. Also, the flag will prevent users from taking screenshots of these windows (by pressing the VOLUME_DOWN and POWER buttons). As such screenshots are stored on the SDCard by default, they are accessible to all Apps and sensitive data may be exposed.
SECURE CODE / Secure code for protecting one Activity / public class SecureActivity extends Activity {
@Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState);
} }
However, if the developers want to protect all the screens of their applications from third-party screen capturing and sharing, they need to use this flag in each of the Activities separately. There is no global mechanism to set this flag for all the screens at once. But, one can design their applications in such a way that the FLAG_SECURE needs to be used only once. Below is the code snippet:
/ Define a BaseActivity and set the FLAG_SECURE in that Activity : / public class BaseActivity extends Activity {
} Use this BaseActivity as the superclass for all the other Activities.
public class LoginActivity extends BaseActivity public class MainActivity extends BaseActivity
Screenshots
REGULATORY COMPLIANCE
This issue may be out of compliance with the following laws, policies, and standards:
OWASP Mobile Security OWASP Mobile Security Testing Guide No sensitive data, such as passwords or pins, is exposed through the user interface (MSTG-STORAGE-7) https://mobile-security.gitbook.io/masvs/security-requirements/0x07-v2-data_storage_and_privacy_requirements#security-verification-requirements