Consider adding FLAG_SECURE and maybe TouchesWhenObscured

Question

Consider adding FLAG_SECURE and maybe TouchesWhenObscured

yodaforces opened this issue 3 years ago · 2 comments

yodaforces commented 3 years ago

To prevent screenshots and Tapjacking attacks.

More details can be found here in the Security section: https://developer.android.com/reference/android/view/View

FLAG_SECURE: https://developer.android.com/reference/android/view/WindowManager.LayoutParams.html#FLAG_SECURE

General hardening for Android and nothing fancy.

Source: https://cure53.de/pentest-report_mullvad_2020_v2.pdf

Answer 1 · 2021-09-05T23:17:23.000Z

It doesn't show sensitive data and the app on the device that's being verified rather than the one performing the verification is untrusted by design. It's useful to be able to take screenshots since you can use it to do a pairing with someone remotely such as before shipping a device. It's not something that I want to disable.

Answer 2 · 2021-09-05T23:40:47.000Z

Okay, you are right. I was to quick adding it to here.