Android Screenshot Allowed
ID |
kotlin.android_screenshot_allowed |
Severity |
high |
Resource |
Information Leak |
Language |
Kotlin |
Tags |
CWE:200, NIST.SP.800-53, PCI-DSS:6.5.6, android |
Description
Allowing screenshots of sensitive application screens can lead to information disclosure.
Rationale
In Android, screenshots can be captured when an application is in the foreground. This may inadvertently expose sensitive information, especially if your app displays confidential data like personal user information, financial data, or authentication details.
To prevent this, Android provides a mechanism to disable screenshots for specific activities using the FLAG_SECURE option. This flag prevents the system from taking screenshots or recording the screen, protecting sensitive views from being captured and potentially exposed.
import android.os.Bundle
import androidx.appcompat.app.AppCompatActivity
import android.view.WindowManager
class SecureActivity : AppCompatActivity() {
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
// Insecure: Screenshots are allowed
setContentView(R.layout.activity_secure)
}
}Remediation
To safeguard sensitive information, enable the FLAG_SECURE option in your activity. This will prevent screenshots and screen recordings, enhancing data protection.
import android.os.Bundle
import androidx.appcompat.app.AppCompatActivity
import android.view.WindowManager
class SecureActivity : AppCompatActivity() {
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
// Secure: Prevent screenshots
window.setFlags(
WindowManager.LayoutParams.FLAG_SECURE,
WindowManager.LayoutParams.FLAG_SECURE
)
setContentView(R.layout.activity_secure)
}
}References
-
CWE-200 : Exposure of Sensitive Information to an Unauthorized Actor.