Recipe Name:
Data Protection - Secure Data Display: Avoid Data Exposure: Use LayoutParams.FLAG_SECURE Compliant
Description:
Compliant
Level:
compliant
Language:
- java
Tags:
- security
- framework specific
- mobile
- Android
Documentation
Out of best practices and Android coding guidelines, recommendations were abstracted which state that for UI elements which might contain sensitive information, the FLAG_SECURE flag must be set.
Add the FLAG_SECURE setting to all your activities which handle sensitive information. This will prevent leaks via screenshots or recording software.
If you have other UI elements such as a Dialog or a Toast, you can use the FlagSecureHelper library to create a secure version of this element.
getWindow().setFlags(LayoutParams.FLAG_SECURE, LayoutParams.FLAG_SECURE);Correct code example (Secure Toasts):
allprojects {
repositories {
maven {
url "https://s3.amazonaws.com/repo.commonsware.com"
}
}
}
implementation "com.commonsware.cwac:security:0.8.+"
FlagSecureHelper
.makeSecureToast(ACTIVITY_OBJECT, "MESSAGE", Toast.LENGTH_LONG)
.show();
Correct code example (Secure Dialogs):
Dialog dlg = ... // Create your dialog dlg = FlagSecureHelper.markDialogAsSecure(dlg);
Recipe
id: scw:android:layoutparams-flag-secure
version: 10
metadata:
name: 'Data Protection - Secure Data Display: Avoid Data Exposure: Use LayoutParams.FLAG_SECURE Compliant'
shortDescription: Compliant
level: compliant
language: java
enabled: true
descriptionFile: descriptions/java_android_handle_sensitive_information_in_ui_elements_with_care_use_flag_secure.html
tags: security;framework specific;mobile;Android
search:
methodcall:
anyOf:
- args:
1:
value:
stringified: WindowManager.LayoutParams.FLAG_SECURE
name: addFlags
- args:
1:
value:
stringified: WindowManager.LayoutParams.FLAG_SECURE
2:
value:
stringified: WindowManager.LayoutParams.FLAG_SECURE
name: setFlags
availableFixes: []