Permissive screenshot option set

• Rule ID: java_android_prevent_screenshot
• Languages: java
• Source: prevent_screenshot.yml

Description

The Android operating system can capture screenshots of the current application view, such as when the app is minimized. This capability is controlled by the FLAG_SECURE option. If FLAG_SECURE is not enabled, Android can take screenshots, which might include sensitive information.

Remediations

• Do set the FLAG_SECURE option to true in your Android application to prevent the system from taking screenshots of your app's activities. This is crucial for protecting potentially sensitive information from being captured and stored in screenshots.

  getWindow().setFlags(WindowManager.LayoutParams.FLAG_SECURE, WindowManager.LayoutParams.FLAG_SECURE);

Associated CWE

• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

OWASP Top 10

• A01:2021 - Broken Access Control

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_android_prevent_screenshot

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_android_prevent_screenshot