Permissive Screenshot option set

Overview

• Rule ID: java_android_prevent_screenshot

• Applicable Languages: Java

• Weakness ID: CWE-200

Description

The Android operating system has the capability to capture screenshots of the current application view, even when the app is minimized. This capability is governed by the FLAG_SECURE option. If FLAG_SECURE is not enabled, Android allows screenshots to capture potentially sensitive information.

Risks

Android apps without FLAG_SECURE enabled can inadvertently capture and expose sensitive user data through screenshots, potentially compromising privacy and security.

Remediation Guidelines

Ensure the FLAG_SECURE option is set to true in your Android application to prevent the system from capturing screenshots of your app's activities. This is essential for safeguarding potentially sensitive information from being captured and stored in screenshots.

getWindow().setFlags(WindowManager.LayoutParams.FLAG_SECURE, WindowManager.LayoutParams.FLAG_SECURE);

References

• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

• A01:2021 - Broken Access Control

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL