Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sensitive Data Leaked via Screenshots (by @guardsquare) #3112

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add a test page
serek8 committed Jan 13, 2025

Verified

This commit was signed with the committer’s verified signature.
dtolnay David Tolnay
commit c4b0d95a0161cd2ad0fb3327f468d2de2c77f5c7
26 changes: 26 additions & 0 deletions tests-beta/android/MASVS-PLATFORM/MASTG-TEST-0216.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
---
title: Sensitive Data Leaked via Screenshots
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs a more specific title and inline with other tests.

Titles get more specific as we go from weakness > test > demo

platform: android
id: MASTG-TEST-0216
type: [static]
weakness: MASWE-0055
---

## Overview

This test verifies whether an app uses APIs to prevent or detect screen capturing. While prevention is preferable to detection, this test ensures that the app is aware of potential screenshot issues. On Android, several APIs allow developers to detect when screenshots are taken, such as:

- [FLAG_SECURE](https://developer.android.com/security/fraud-prevention/activities#flag_secure) - prevents screen recording
- [DETECT_SCREEN_CAPTURE](https://developer.android.com/about/versions/14/features/screenshot-detection#implementation) - detects when a screenshot is taken

## Steps

1. Run a static analysis tool, such as @MASTG-TOOL-0110, on the code to identify instances of relevant API usage.

## Observation

The output should include a list of locations where the relevant APIs are used.

## Evaluation

The test case fails if you cannot find the relevant APIs on the Activities that display sensitive data.