All snapshots go to heaven

    image altNow we all use banking applications. It is convenient, fast and, as it seems to us, safe. Banks even entered additional pin-codes so that even if you lose your phone or if it falls into the hands of a stranger, your funds and confidential data are protected. And this is so cool! Banks care about our security!

    But, unfortunately, if you open the same banking application in the task manager, you will see the entire contents of its screen (for example, information on the account, bank card, chat, in which you discussed something with a bank employee). You can check it on your banking applications. I studied all the most famous - and they all do not hide sensitive information when you are in the background.

    For example, I scribbled abstract jars on abstract pages. And now immediately ask you a question: you are going to transfer money to your mom / girlfriend / dog, you are already on the transfer page and left the application to copy the code from sms (if you are in a fit of paranoia banned the banking application access), or see what any information. But when you again decide to return to your banking application, which screen will you choose?

    As we see, in front of you are two absolutely identical screens and in a hurry you can and not notice it. You will click on the latest application, go to it, enter the data and voila, your money is transferred. And where are they transferred? To whom?

    And it's not only in that abstract bank, I looked at several of the most popular banks and they all suffer from such a problem.

    image alt

    Interesting, but on the iOS side, the content of the screen in the task manager is hidden.

    image alt

    And there is an explanation. But about this a little later, now we are talking about Android. So, why hide the contents of the screen if the user exits the application?

    Let's first understand how the screen manager works in general (Recents screen)

    image alt

    On this screen we see a list of our previously open applications. We are even shown the place where we stopped our interaction with a specific application. But the fact is that we do not see the application itself, we see the snapshot that is done before exiting the application.

    What actually happens (briefly):

    • The application is in the background
    • The window manager places the application snapshot in a GraphicBuffer
    • GraphicBuffer is sent to SystemUI via Binder to preview the application.

    So what we see here is not the content of the application, but only a snapshot made at the last moment before the transition of a particular application to the background.

    But, as you guessed, it is not so simple, you can access these snapshots and, for example, also show the user in the Recents screen another application disguised as a bank, which Trojans use. The user returns to the banking application, enters all the requested details, the money is transferred, but not at all where we would like.

    Or you can just send these pictures, for example, to China, where the harsh Chinese are collecting information about everything and everyone. Methods for using the obtained screenshots can be thought out endlessly.

    For the most part, of course, bother with hiding confidential data is necessary for banking applications or applications that contain any critical information that is not intended for others' eyes.

    To prohibit making snapshots, or they can be cleared only within a specific application. And the documentation says that only device manufacturers can modify the class, which is responsible for the mechanism for receiving and storing snapshots.

    How to prevent the system from doing snapshots

    There are several ways, however, unfortunately, not all of them are optimistic enough. If you want to use any of them in your application, make sure that everything will work well on all devices.

    You can set a parameter for activity:

    android:excludeFromRecents = "true"

    However, this method will break the logic of user interaction with the application, since the application will not be shown at all in the Recents Screen.

    if(android.os.Build.VERSION.SDK_INT >= android.os.Build.VERSION_CODES.HONEYCOMB) {
        getWindow().setFlags(WindowManager.LayoutParams.FLAG_SECURE, WindowManager.LayoutParams.FLAG_SECURE);

    This method does not violate the interaction logic, but the system begins to treat the contents of the application screen as protected, not allowing snapshots to be taken. Below is an example of how it will look in Recents Screen.

    In addition, there is a way to track onPause (). But here you have to constantly keep the prepared view in the View.GONE state so that when the application goes into the background you can make the View.VISIBLE. But it will also not work very reliably, because, unfortunately, it is impossible to control the time it takes to remove snapshots.

    By the way, the cart was able, well, who would doubt :) The secret chat on the screen, in this case, FLAG_SECURE is used.

    image alt

    So why are banks hiding the contents of the application on the iOS platform, which is now considered safer (which is misleading), and left as is for the Android platform? Most likely, they just do not like how the application will look in the Recents Screen. That is just a white canvas. In iOS, the implementation allows you to do beautifully. As a result, we receive damage to security for the sake of beauty. Perhaps you do not care as long as your money is where you would like, and data confidentiality is unshakable. But are you ready to pay? ..

    So, in order not to end on such a pessimistic note, we raise the question, can it be done beautifully for Android? In fact, I have already figured out a way, but first you need to test it.

    If you are interested in this topic, I can describe how it all works from the inside. How can I get snapshots, how the android system works, about the vulnerabilities of mobile applications.

    I decided to make myself a call and write something useful on a regular basis. I will publish sketches in my @paradisecurity channel in telegrams, and then collect them into full-fledged posts. Bye bye.

    Also popular now: