保護DataHogo
Security Encyclopedia/Mobile Security (Advanced)
lowCWE-200A02:2021

Screenshot Not Prevented

Banking and payment screens without screenshot protection allow sensitive data to be captured by malware or appear in Android's recent apps screen.

How It Works

Android's recent apps preview captures a screenshot of your app when the user presses home. Without FLAG_SECURE, sensitive screens appear in this preview and in any screenshot taken while your app is in the foreground. Malicious screen recorder apps can also capture the display.

Vulnerable Code
// BAD: no screenshot protection on sensitive screens (React Native Android)
import { View, Text } from 'react-native';

export function PaymentScreen() {
  return <View><Text>Card: 4111 1111 1111 1111</Text></View>;
  // no FLAG_SECURE — screenshottable by malware
}
Secure Code
// GOOD: add FLAG_SECURE for screens with sensitive data
import { useFocusEffect } from '@react-navigation/native';
import { NativeModules } from 'react-native';

useFocusEffect(() => {
  NativeModules.PreventScreenshot.enable();
  return () => NativeModules.PreventScreenshot.disable();
});

Real-World Example

Banking trojans on Android routinely wait for financial apps to be in the foreground, then trigger a screenshot. Apps without FLAG_SECURE protection have had account numbers and balances exfiltrated this way.

How to Prevent It

  • Add FLAG_SECURE to the Android window flags for all screens containing financial or personal data
  • Use react-native-prevent-screenshot or a similar library for a cross-platform solution
  • Apply screenshot prevention selectively to sensitive screens — not the entire app
  • Test in Android's recent apps view to verify your sensitive screen isn't visible in the preview

Affected Technologies

React Nativeandroid

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Deep Link Hijacking

medium

Custom URL schemes without host verification let malicious apps intercept your app's deep links and steal OAuth tokens or sensitive parameters.

CWE-926A01:2021

Clipboard Exposure

low

Sensitive data copied to the clipboard (passwords, tokens, card numbers) persists there indefinitely and can be read by any app.

CWE-312A02:2021

Certificate Pinning Missing

high

Without certificate pinning, attackers on the same network can intercept your app's HTTPS traffic with a rogue certificate authority.

CWE-295A05:2021

Root/Jailbreak Detection Missing

medium

Running a financial or health app on a rooted or jailbroken device means all security controls can be bypassed by the device owner.

CWE-919A08:2021