Skip to content

Protect password during screenshare #5339

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
TimoPtr opened this issue May 20, 2025 · 6 comments
Open

Protect password during screenshare #5339

TimoPtr opened this issue May 20, 2025 · 6 comments
Labels
enhancement New feature or request

Comments

@TimoPtr
Copy link
Collaborator

TimoPtr commented May 20, 2025

Verify that when typing password during onboarding and with screenshare ON we are properly hiding the password of the user https://developer.android.com/about/versions/15/behavior-changes-all#screenshare_protection
@TimoPtr TimoPtr added the bug Something isn't working label May 20, 2025
@jpelgrom
Copy link
Member

I'm not sure this is something for the app to handle because:

  • the behavior change you linked is "Android will do something"
  • password fields are inside the WebView, so managed by the frontend

Note that even the keyboard input is still visible when recording/sharing (built-in recorder, using a single app so that should be the new APIs):

screen-20250520-144333.mp4

@TimoPtr
Copy link
Collaborator Author

TimoPtr commented May 20, 2025

I'm not sure this is something for the app to handle because:

* the behavior change you linked is "Android will do something"

* password fields are inside the WebView, so managed by the frontend

Note that even the keyboard input is still visible when recording/sharing (built-in recorder, using a single app so that should be the new APIs):
screen-20250520-144333.mp4

I would like to check if we use https://developer.android.com/reference/android/view/View#setContentSensitivity(int) if it hides the webview and how. If it hides it we could set this flag when we detect that we enter the auth screen.

@jpelgrom
Copy link
Member

jpelgrom commented May 20, 2025
edited
Loading

View#setContentSensitivity is currently not used. However, there are more places in the frontend where you might enter a password after onboarding and we can't realistically set that all the time (as it also blocks things like screenshots, which is annoying).

@TimoPtr
Copy link
Collaborator Author

TimoPtr commented May 20, 2025

Indeed we cannot catch all of them, we could see we the frontend if we can send them a flag that the app is being recorded. I think it is a nice feature to hide the typing of a password for security.

We should not set this flag all the time otherwise like you said we can't make screenshots, but we could enable it on specific places when it makes sense and make sure our inputs are properly configured when user is typing a secret.

@TimoPtr
Copy link
Collaborator Author

TimoPtr commented May 20, 2025

This requirements is not a must have for targeting android API 36

@jpelgrom
Copy link
Member

(It's actually a behavior change in Android 15, it already applies)

@jpelgrom jpelgrom added enhancement New feature or request and removed bug Something isn't working labels May 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TimoPtr @jpelgrom