Request to Protect Authentication Screen

[aldsdelram]

Hi,

Our application uses this plugin, and is getting flagged when scanned in data theorem. There is a finding wherein we need to protect the app screen from 3rd Party Apps.

These are additional information from data theorem:

• The following classes in the affected component are currently exposed: com.microsoft.aad.adal.AuthenticationActivity
• Recommendation is:
  • Protect all sensitive windows within the App by enabling the FLAG_SECURE flag. This flag will prevent Apps from being able to record the protected windows. Also, the flag will prevent users from taking screenshots of these windows (by pressing the VOLUME_DOWN and POWER buttons). As such screenshots are stored on the SDCard by default, they are accessible to all Apps and sensitive data may be exposed.
• snippet of the code

// Secure code for protecting one Activity
public class SecureActivity extends Activity {

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        
        // Set the Secure flag for this Window
        getWindow().setFlags(LayoutParams.FLAG_SECURE, LayoutParams.FLAG_SECURE);
    }
}

I hope you could help us regarding this and, if this is possible, we would like to request the recommended fix to be applied to the version 1 of your plugin.

Thank you!

[iambmelt]

@hamiltonha Assigning to you, as this is a feature request. IMO, this looks like a good compliance item to take-on, though I would recommend we do a little design work around how we support it, as screenshots/recordings are often used by our support team to toubleshoot and demonstrate issue repros

@aldsdelram Thanks for filing this request, updates will be provided in this ticket. We are no longer support 2.x.x and 1.x.x versions of ADAL, so this enhancement would ship in a future release of 3.1.x+ if implemented