Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FVP-02-009 WP5: Secure flag missing on views for Android app #804

Closed
bakulf opened this issue Apr 7, 2021 · 0 comments · Fixed by #817
Closed

FVP-02-009 WP5: Secure flag missing on views for Android app #804

bakulf opened this issue Apr 7, 2021 · 0 comments · Fixed by #817
Labels
p3 Low Criticality Issues
Projects

Comments

@bakulf
Copy link
Collaborator

bakulf commented Apr 7, 2021

During the assessment of the Android app, the discovery was made that the
FLAG_SECURE security flag is not deployed to protect views that display sensitive
content. By applying the flag for Android views, the app’s windows can no longer be
manually “screenshotted”. Additionally, the items would be excluded from automatic
screenshots or screen-recordings, which ultimately prevents screen-data from leakage
to alternative apps.
Particularly for the implemented views displaying sensitive data, e.g. during the login
process, adding this flag is important. An attacker would otherwise be able to steal
sensitive data, such as login credentials or personal information, doing it after it has
been displayed. Hence, this information could be stolen from the services via a malicious
app.
It is recommended to add the FLAG_SECURE within the WindowManager responsible
for handling views like the WebView. The flag can be set via WindowManager.
LayoutParams, i.e. as FLAG_SECURE within the function of setFlags(). As for additional
information on how to prevent this type of attacks, please refer to the OWASP Mobile
Security Testing Guide

┆Issue is synchronized with this Jira Task

@bakulf bakulf added p3 Low Criticality Issues audit-issue labels Apr 7, 2021
strseb added a commit that referenced this issue Apr 8, 2021
@bakulf bakulf modified the milestone: v2.2 Apr 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
p3 Low Criticality Issues
Projects
No open projects
v2.2 🚀
Awaiting triage
Development

Successfully merging a pull request may close this issue.

2 participants