Recipe Name:
Data Protection - Secure Data Display: Avoid Data Exposure: set FLAG_SECURE
Description:
Could leak sensitive information
Level:
error
Language:
  • java
Tags:
  • security
  • mobile
  • framework specific
  • Android
  • Android security set
Documentation

Out of best practices and Android coding guidelines, recommendations were abstracted which state that for UI elements which might contain sensitive information, the FLAG_SECURE flag must be set.

Add the FLAG_SECURE setting to all your activities which handle sensitive information. This will prevent leaks via screenshots or recording software. If you have other UI elements such as a Dialog or a Toast, you can use the FlagSecureHelper library to create a secure version of this element.

Correct code example: 
getWindow().setFlags(LayoutParams.FLAG_SECURE, LayoutParams.FLAG_SECURE);
Correct code example (Secure Toasts): 
allprojects {
    repositories {
        maven {
            url "https://s3.amazonaws.com/repo.commonsware.com"
        }
    }
}

implementation "com.commonsware.cwac:security:0.8.+"


FlagSecureHelper
    .makeSecureToast(ACTIVITY_OBJECT, "MESSAGE", Toast.LENGTH_LONG)
    .show();
Correct code example (Secure Dialogs): 
Dialog dlg = ... // Create your dialog
dlg = FlagSecureHelper.markDialogAsSecure(dlg);
Recipe 
id: scw:android:toast-maketext-flag-secure
version: 10
metadata:
  name: 'Data Protection - Secure Data Display: Avoid Data Exposure: set FLAG_SECURE'
  shortDescription: Could leak sensitive information
  level: error
  language: java
  enabled: true
  descriptionFile: descriptions/java_android_handle_sensitive_information_in_ui_elements_with_care_use_flag_secure.html
  tags: security;mobile;framework specific;Android;Android security set
search:
  methodcall:
    args:
      1:
        type:
          reference:
            matches: android.app.(AppCompat)*Activity
          checkInheritance: false
      2:
        type: java.lang.String
      3:
        type: int
    in:
      typeDeclaration:
        super:
          name: android.app.Activity
    name: makeText
    declaration:
      type: android.widget.Toast
availableFixes:
- name: Set FLAG_SECURE
  actions:
  - rewrite:
      to: |-
        this.getWindow().addFlags(android.view.WindowManager.LayoutParams.FLAG_SECURE);
        {{{ . }}}