Permissive screenshot option set

Description

Android may take screenshots of the current application view for display purposes, for example when an application is sent to the background. Whether or not Android is permitted to take such screenshots is determined by the FLAG_SECURE option.

By default, the FLAG_SECURE option is not set and no screenshots are taken.

For best security practices, we should not set the FLAG_SECURE to true and we should never allow Android to take screenshots of the current application activity.

Remediations

❌ Do not set the FLAG_SECURE option, to ensure that Android does not take screenshots of potentially sensitive information

References

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_android_prevent_screenshot

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_android_prevent_screenshot

Ready to take the next step? Learn more about Bearer Cloud.