-
Notifications
You must be signed in to change notification settings - Fork 26.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FLAG_SECURE don't work on Flutter application #47557
Comments
This comment has been minimized.
This comment has been minimized.
@dnfield Sorry to mention that, but I wonder if you could take a look at this. |
/cc @matthew-carroll or @mklim who might know more immediately what's going on here |
Using the Kotlin code you specified to make my Flutter app secure, I observe the following:
I haven't tried your WebRTC thing yet. |
Are you doing all of this within the same application, or two separate applications? It seems like some code may be missing from your webRTC example code - it's refering to varaibles not present in the sample. It may help to just upload a github project that fully reproduces this. |
I grabbed the example from https://github.com/cloudwebrtc/flutter-webrtc. When I use the getUserMedia API, Android Q gives me a big scary warning telling me that this application will be able to record secure information, including passwords, etc. I don't think this is a Flutter bug or a regression. Can you confirm? |
(I get the warning described here: https://support.google.com/android/thread/13791498?hl=en). I strongly suspect this is just by design in Android, I'm curious about your other app that prevented this. |
Actually, even when I accept that warning and put the app into split screen, it doesn't capture the secure app. I just get a black screen. |
The Flutter application is installed on a Motorola Moto z2 along with webrtc. |
Sounds like it could be a bug in the Android version on that device. |
FLAG_SECURE on emulator https://youtu.be/S4Cf9-6gftk |
I just tested on 6 different devices, screen recording was possible on all of them. |
I tried it on Android Q/10 on a Pixel 4. I'll try later today on an earlier API level device. |
Test on Samsung m20 https://youtu.be/H4SbqxMwwNs |
The code I sent was a sample code to connect to the webrtc server, and send the screen. |
I'm fairly convinced this is an Android bug at this point. I just tried on Android 7.0 on an Moto G4. I still get a popup (although less scary) warning me that WebRTC will be recording the whole screen. Unlike on Android Q/Pixel 4, it is actually able to record the secure screen. I'm not sure what Flutter can do about this, and I'm fairly sure that this is an issue not just for Flutter apps. |
FWIW, it should not be possible for a malicious app to record the screen even on lower API levels without the popup asking for permission. Of course, nothing would stop a naive user from accepting that and having a recording going on for ever... But again, I don't think there's anything Flutter can do about this, it's an Android thing. |
This warning is displayed in the latest APIs, however, it is not displayed at all (Believe me, there are devices that it stays on the notification bar just warning that the screen is being recorded, but there is no popup. There are thousands of different rooms, especially with numerous Chinese devices being launched every day, but that is not the scope of the issue.) and is not a permission, it is merely a warning. Also, imagine the user installing a screen recording application to show someone something. If he accepts that the screen will be recorded, then his screen can be recorded at any time remotely, without warning, but this is a specific Android vulnerability which is not the scope of this issue. |
I tested FLAG_SECURE on the same devices (Moto z2 and Samsung m20) using kotlin right now, and it works on both activitys and fragments. I added FLAG_SECURE only in one tab, and open the front camera with web_rtc in all, and the tab with flag_secure was not recorded. I do not rule out the hypothesis that it could be a bug in Android, however, after these tests, I am almost convinced that there is something in Flutter. |
@jonataslaw I'm sorry if this information has already been stated elsewhere in the thread, I'm having trouble parsing the comment chain. Do you mind stating exactly what the behavior on Android is here that Flutter is failing to match? I get that the basic problem is screen recording, but I'm not understanding exactly what capability Android has that Flutter is missing. My best guess is that you're saying that there's a way to set |
I create a Flutter application and add FLAG_SECURE. WEB_RTC I just exposed a critical vulnerability related to this behavior, where spys can record the screen of applications Flutter, but they cannot record the screen of applications kotlin, RN, Xamarin, Java and etc., which makes Flutter unsafe for applications that have payments, or banking applications, since the app's screen can be transmitted remotely without any problem via WEB_RTC. |
I understand now, thank you for filing this issue and taking the time to explain the problem in more depth. I did a bit of digging to try and reproduce the difference by using a pure Kotlin test app and a test Flutter app combined with Samples:
Steps:
In both cases the video was black except for the phone's status bar with my patch applied (as expected if there were no bug), and displayed the sample app's screen plus the phone's status bar without it (just double checking that |
I cloned your repository, in the kotlin app I had a black screen, in the Flutter app, I got this: Have you tested on Android 9 below? |
I was testing on Android 9 (SDK 29) wtih a Pixel 1. I just tried again with SDK 27 (8.1) and SDK 23 (6.0) Nexus 6P and saw the same (correct) behavior on my end. Do you mind listing the specific device/android versions you're using to repro the bug? This may have to do with device version too and not just SDK version. Edited to add: Also just to make sure, are you getting the video through |
Android: Command: result: With remote recorder: local recorder with emulator: |
I also have repro. I can see the Flutter but not the Kotlin app through The one thing I can think of is that Flutter UIs are rendered into SurfaceViews, which come with their own |
Hey, that makes a lot of sense! |
The However unfortunately the new (default) v2 Android embedding doesn't really expose the underlying So to really consider this closed, I think we also need to expose the underlying Ideally there'd also be some kind of workaround for any developers on the v2 embedding impacted by this today. I'm going to see if I can come up with some code sample to use as a mitigation in the short term before the new API lands and rolls. |
It's possible to set this flag in the v2 embedding today by walking through the View hierarchy (full app example at mklim/test_app@bd36511). That workaround isn't ideal long term because it relies on the internal implementation details of how the Flutter engine creates Views, but anyone impacted by this currently can use that as an immediate workaround now while waiting for a patch exposing the SurfaceView directly to land and roll. |
Thanks, thanks, thanks and thanks for this temporary fix, I tested and managed to get the screen via webrtc of everything, except my application that now has a black screen. |
Access to the underlying The change won't be available on master until that engine change rolls into the framework. Closing this issue as resolved. @mklim offered work around above until the fix rolls in. |
…Activity and FlutterFragment. (flutter#41984, flutter#47557) (flutter/engine#16552)
* f49a8b6 Roll src/third_party/skia c03e6982f96f..465864cad5d2 (14 commits) (flutter/engine#16524) * c477c06 Enable verbose logging for shell unittests on Fuchsia (flutter/engine#16526) * a662579 Clear frame references at the end of every CanvasKit frame (flutter/engine#16525) * 3f31ea3 Roll src/third_party/skia 465864cad5d2..21f382c19d76 (6 commits) (flutter/engine#16528) * 38fb6b1 Roll fuchsia/sdk/core/linux-amd64 from 8L7NY... to Bmq1m... (flutter/engine#16529) * 9c0168a Roll fuchsia/sdk/core/mac-amd64 from PMcw3... to 7JkB7... (flutter/engine#16530) * e8a888d Roll src/third_party/skia 21f382c19d76..f83d0346c06a (2 commits) (flutter/engine#16532) * 1e8b331 Roll src/third_party/dart 5244d99a5d4e..5fc031ebc1d7 (42 commits) (flutter/engine#16533) * c4e3ae6 Roll src/third_party/skia f83d0346c06a..88c3793a4eaa (1 commits) (flutter/engine#16534) * 6cdb14e Roll src/third_party/skia 88c3793a4eaa..abefc9c170c9 (1 commits) (flutter/engine#16535) * 975acd8 Roll src/third_party/skia abefc9c170c9..4fe89b4d871d (2 commits) (flutter/engine#16536) * b7424d0 Roll src/third_party/dart 5fc031ebc1d7..30151a654151 (2 commits) (flutter/engine#16537) * 25e8127 Roll src/third_party/skia 4fe89b4d871d..dc2782c380f6 (1 commits) (flutter/engine#16538) * 74fa10c Roll src/third_party/dart 30151a654151..76b18c455e2c (1 commits) (flutter/engine#16539) * 91b8e40 Roll src/third_party/skia dc2782c380f6..cdf2491afa04 (1 commits) (flutter/engine#16540) * 5acf9b1 Roll src/third_party/skia cdf2491afa04..50a490a1a4fb (2 commits) (flutter/engine#16541) * 9897777 Roll src/third_party/skia 50a490a1a4fb..c3b67eb988c8 (4 commits) (flutter/engine#16542) * 78a8909 Use os_log instead of syslog on Apple platforms (flutter/engine#13487) * ea56ad2 libtxt: use a fixture in the benchmarks (flutter/engine#16531) * a61dbf2 Revert "Use os_log instead of syslog on Apple platforms (#13487)" (flutter/engine#16546) * 539f64f [fuchsia] Disable retained layers (flutter/engine#16548) * c3b5072 Expose DPI helper functions for Runner apps to use (flutter/engine#16313) * 5041ff1 support endless trace buffer (flutter/engine#16520) * 6aacf5e Re-land: Use os_log instead of syslog on Apple platforms (flutter/engine#16549) * a5736b8 Roll src/third_party/skia c3b67eb988c8..b1525c721ea6 (4 commits) (flutter/engine#16543) * 49a370f Roll src/third_party/dart 76b18c455e2c..e4c39721c473 (6 commits) (flutter/engine#16544) * 270421c Fix ensureInitializationCompleteAsync callback when already initialized. (#39675) (flutter/engine#16503) * ca02b91 Prevent long flash when switching to Flutter app. (#47903) (flutter/engine#16527) * 44e80fd skiping tests in Safari. LUCI recipe for Mac is ready. this is the only step left for stopping us running unit tests in Safari (flutter/engine#16550) * 5fb0116 iOS platform view gesture blocking policy. (flutter/engine#15940) * e0ebaea Revert "Re-land: Use os_log instead of syslog on Apple platforms (#16549)" (flutter/engine#16558) * 8a6b949 [Fuchsia] Dump syslog output after tests have run (flutter/engine#16561) * bca879c Roll src/third_party/dart e4c39721c473..0299903f3e78 (31 commits) (flutter/engine#16553) * cd11d7a Roll fuchsia/sdk/core/mac-amd64 from 7JkB7... to t4kck... (flutter/engine#16555) * 99a265b [web] Fix edge cases in Paragraph.getPositionForOffset to match Flutter (flutter/engine#16557) * 8f8af1f Update felt documentation (flutter/engine#16559) * 13dce50 Roll src/third_party/skia b1525c721ea6..67da665c27ff (32 commits) (flutter/engine#16562) * 7c67573 Fix multiline Javadoc code blocks (flutter/engine#16565) * aece5ad Move log_listener call into the reboot trap (flutter/engine#16564) * 42f18d9 Roll src/third_party/skia 67da665c27ff..886e8500a9f2 (3 commits) (flutter/engine#16566) * c4c6ef6 Samsung keyboard duplication workaround: updateSelection (flutter/engine#16547) * 15062ca Revert "Re-arm timer as necessary in MessageLoopFuchsia" (flutter/engine#16568) * 8802a1d Roll src/third_party/skia 886e8500a9f2..9102c86a81ad (1 commits) (flutter/engine#16570) * dbdcae4 Roll src/third_party/skia 9102c86a81ad..6029cbd560b7 (2 commits) (flutter/engine#16575) * f39bc73 Exposes FlutterSurfaceView, and FlutterTextureView to FlutterActivity and FlutterFragment. (#41984, #47557) (flutter/engine#16552) * db030ec Roll src/third_party/skia 6029cbd560b7..1a733b5b760a (1 commits) (flutter/engine#16577) * 050d29d Roll src/third_party/skia 1a733b5b760a..1d1333fcedf8 (3 commits) (flutter/engine#16578) * 97fd898 Roll fuchsia/sdk/core/mac-amd64 from t4kck... to oHa-O... (flutter/engine#16581) * 2e67866 Roll src/third_party/skia 1d1333fcedf8..3bf3b92dfab0 (1 commits) (flutter/engine#16584)
++ to this issue |
This thread has been automatically locked since there has not been any recent activity after it was closed. If you are still experiencing a similar issue, please open a new bug, including the output of |
Android flags do not work for screen recording on any device. The video recording displays the content normally.
With exactly the same flags, an application recently migrated from kotlin to Flutter, does NOT record kotlin video (expected behavior), but in Flutter ignores (in the latest version) all android flags.
[Edit:
When I opened this issue, if I added flags to onCreate, and started recording before opening the application, FLAG_SECURE worked. If the app was opened before the video was recorded, it wouldn't work, which shows that there is some code (maybe in FlutterView, or SystemChrome, I suppose) that was clearing all flags. However, in the latest version, with the removal of onCreate from MainActivity, not even that way the flags work, there is no way to make them work]
[EDIT 2 I created a malicious test application that records the user's screen using webrtc and even with FLAG_SECURE enabled I managed to get the screen in streaming video for 1h. I think this vulnerability fix should be a priority right now].
Steps to Reproduce
Logs
Sample code that can make any application written in flutter victim of attacks using, for example, flutter_webrtc (or if the application is kotlin / java, you can use the native webrtc plugin in the same way):
Connect to your WEB_RTC SERVER, receive a peer_id (that will be used in the future to read the screen), and call this function anywhere in your app createPeerConnection(peer_id, 'video', true);
Its done, knowing the victim's peer_id, you will be able to see her screen, and what she types on the keyboard in any Flutter application, even if FLAG_SECURE is activated.
Reminder, this is a common app that would easily go through the playstore, and anyone who installs it, can have their screen mirrored from a distance. For that there is FLAG_SECURE on android. Bank applications (like a large case that just opted for Flutter, Nubank) in some countries are required by law to have this option enabled, mine for example.
Any other application that involves confidential data, cannot be done with Flutter if there is no way to use FLAG_SECURE.
The text was updated successfully, but these errors were encountered: