PSA: FLAG_SECURE Window Leaks

Skate to Where the Puck is Going isInMultiWindowMode() Race Condition

PSA: FLAG_SECURE Window Leaks

FLAG_SECURE can be applied to a Window �� such as an activity��s
Window �� to secure its contents against screen recordings and so on.

Authors of widgets or other UI elements that show their own windows
need to:

Examine the activity that those elements are a part of and see if that
activity is using FLAG_SECURE to protect its contents. If it is,
the UI element needs to apply FLAG_SECURE
to any windows it opens up on behalf of that activity, such as a popup,
so that the entire activity UI is secure.

Or, the UI element needs to expose the Window objects via a public
API, so that FLAG_SECURE can be applied where needed.

Google does not do either of these things on:

AutoCompleteTextView
Spinner (both dropdown and dialog modes)
the overflow menu of the framework-supplied action bar
ShareActionProvider
Toast

and probably
many others,
as my investigation continues. The only scenario that seems to be discussed
much in this area is Dialog, where you can use getWindow() to apply
FLAG_SECURE yourself�� if you know to do that.

Since they lack FLAG_SECURE (despite the activity having it),
content in these UI elements will be leaked into:

Screenshots taken by the media projection APIs on Android 5.0+

Screencasts taken by the media projection APIs on Android 5.0+
(e.g., Jake Wharton��s Telecine)

The Assist API (e.g., Now On Tap) on Android 6.0+

Android Studio screen recordings on Android 4.4+

and possibly other areas as well. While all of those things have their
own security (e.g., user authorization of media projection API usage), we still
have lost a layer of security by the Android framework not propagating
FLAG_SECURE to other windows (or allowing developers to readily do it
themselves).

For example, this screencast shows an activity that has FLAG_SECURE
applied, yet you can see all sorts of child windows from the aforementioned
UI elements still show up.

Demo App, Showing FLAG_SECURE Window Leaks

Google considers this to be
working as intended.

You may disagree with Google��s assessment. If so, I have more details
on the problem, along with some code to help deal with the bug, in
my CWAC-Security library.

I would like to thank Vivart Pandey, who
first pointed out this problem.

View more on Mark L. Murphy's website »

Like • 0 comments • flag

Published on June 06, 2016 05:00

No comments have been added yet.

Mark L. Murphy's Blog

Mark L. Murphy's profile
8 followers