Description
Android supports a Window flag called FLAG_SECURE. When applied to an activity, it treats the content of the window as secure, preventing it from appearing in screenshots or from being viewed on non-secure displays.
It's a security good practice to apply this flag to any screen with confidential information to avoid leaks. If the user tries to take a screenshot, the device will block it, displaying a message notifying the user that that action is blocked.
However, Instabug ignores this configuration, attaching a screenshot of these screens in the bug reports. It also tracks the information introduced by the user in the input fields, leaking all of this to the User Steps logs in the dashboard.
Would it be possible that the Instabug sdk takes this flag into consideration, applying the right measures to prevent leaking confidential information?
Steps to Reproduce the Problem
- Apply the secure flag to any activity
window.setFlags(WindowManager.LayoutParams.FLAG_SECURE, WindowManager.LayoutParams.FLAG_SECURE) - Navigate to that activity. If you try to take a screenshot, the device will refuse to do it.
- Navigate to that activity and report a bug with Instabug (for example, with the shaking feature).
Extra: use an activity with input fields and fill them before reporting the bug.
Expected Behavior
Instabug should not attach any screenshot. Probably display a warning instead.
Extra: Instabug should not log the information introduced by the user in the input fields as part of the User Steps logs.
Actual Behavior
Instabug will attach a screenshot to the report, which shouldn't be there as might leak confidential information.
Extra: Instabug is tracking all information introduced by the user in the input fields as part of the User Steps logs, leaking confidential information.
SDK Version
Tested in 10.4.1, probably this happens in all
Android Version
Tested in Android 11, probably happens in any
Device Model
Tested in Pixel 3a, probably happens in any