Skip to content
This repository has been archived by the owner on Apr 6, 2021. It is now read-only.

Block screenshots #112

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Conversation

Tethik
Copy link

@Tethik Tethik commented Feb 20, 2020

Change Description

This adds a toggleable setting to block screenshots from the main AuthenticatorActivity. By default that setting is set to true. Fixes #50

Unfortunately I haven't been able to run the tests as they make my poor laptop go OOM. I tested it on a test device though. I've also had to upgrade the build tools etc to get the project to run, but I omitted it from this PR to keep it contained.

@ThomasHabets
Copy link
Contributor

Thank you! I'll try to find the best person to review this, and make sure it gets into the Play Store version.

I'm bouncing round the world at the moment, so apologies for delays.

@Tethik
Copy link
Author

Tethik commented Feb 22, 2020

No worries. I'm actually aiming to implement another feature (folders), so I took this one from the issues as a sample to get into the code. From my end there is no rush to release this :)

@frankenstein91
Copy link

Since according to the German press there is a malicious code in the works that is supposed to take advantage of this missing protective function, but we can take the wind out of the sails with the combined power of OpenSource... what help do @ThomasHabets need from the community? I think we could find a good helper for each area.

@ThomasHabets
Copy link
Contributor

Partially copying this from the other bug

The issue recently in press recently is, as I understand it, entirely about accessibility functionality that can't (?) be disabled (and for good reason, because accessibility), not about this issue which is about screenshots.

Also, for other people coming here from ZDNet:

FYI: The version in Google Play Store / Apple App store is not the same as this opensource version. They've diverged. This opensource version is also unlikely to end up in the app stores. This open source version doesn't get much love, but I'll accept well-written pull requests.

In other words: This bug does NOT track the issue describe in the article, for two reasons:

  1. This bug is about screenshots, which AFAIK is not the same issue
  2. This repo does not contain the code for Google Authenticator that you can find in any app store what-so-ever

So guess, @frankenstein91, what the community can do is to confirm what API exactly is the relevant one. This pull request seems to disable screenshots, yes, but does it do anything at all to the risk mentioned in the press with this malware? "They" tell me no, it won't.

@frankenstein91
Copy link

I didn't know about the split, sorry.

I found this article in the online magazine https://www.golem.de/news/google-authenticator-2fa-codes-lassen-sich-einfach-abgreifen-2003-147119.html. Since the second link led into this software, I thought it could be solved by the already opened request.

I think the article, which at least I read, is only about the screenshot function.

@Diesmo
Copy link

Diesmo commented Mar 9, 2020

Also, for other people coming here from ZDNet:

In other words: This bug does NOT track the issue describe in the article, for two reasons:

  1. This bug is about screenshots, which AFAIK is not the same issue

I'm a bit confussed, you are talking about the ZDNet article and how the security flaw they describe over there is not relevant to this PR/Screenshot function, but then again this is what the ZDNet article which you linked says:

If an account was protected by 2FA, and namely by the Google Authenticator app, the malware was designed to allow the Cerberus gang to connect to a user's device manually, via its RAT features. Hackers would then open the Authenticator app, generate one-time passcodes, take a screenshot of the codes, and then access the user's account. ThreatFabric's discovery was a significant one. Not only was Cerberus the first-ever Android malware that was stealing one-time 2FA codes, but it was also doing using a simple technique -- by screenshotting the Authenticator app's interface.

For me this sounds exactly like the problem that the PR approaches.
Removal of screenshot function inside a 2FA app so Malware can't send the codes somewhere.

And reading six digit numbers from a picture is not hard by any means, there are more than enough pre-trained models for this task, which can be set up and running in 10 mins.

@tentacleuno tentacleuno mentioned this pull request Mar 27, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Security Problem: Screenshot Function
6 participants