Android Lollipop Screen Capture and Sharing

Android Lollipop has a new feature that allows screen capturing and screen sharing from third party applications. The feature allows third party apps to capture videos from the device and deliver it over the network.

Screen capturing does not require any pre-defined permissions; however, it does require user consent, as shown in the image below. If the user agrees to the consent, which does not necessarily explain the permanence of the feature nor its broad range, the application is able to capture everything that is displayed on the device’s screen, including sensitive activity from all other apps, such as password keystrokes, credit card screens, home addresses, etc. The capturing ability remains on even if the user terminates/closes the app, but not after a reboot. Additionally, when an application is performing screen capturing a small screen casting icon is displayed in the notification bar. This does not give the user enough information to make an informed decision on whether to disable casting.

Please click here to view the full step-by-step demo. Thanks Alexey Reznik for creating an informative video.

</img>

Fig:SideScreen is a 3rd Party Application on Google Play

Since a user may not understand the impact of its consent, mobile apps should proactive protect their sensitive screens from third party screen capturing and sharing. This is possible using the FLAG_SECURE option on any given screen. The following code shows an example:

protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
		setContentView(R.layout.activity_main);
		 getWindow().setFlags(LayoutParams.FLAG_SECURE,
                 LayoutParams.FLAG_SECURE)
…
…
}

However, if the developers want to protect all the screens of their applications from third party screen capturing and sharing, they need to use this flag in each of the Activities separately. There is no global means to set this flag for all the screens at once. But, one can design their applications in such a way that the FLAG_SECURE needs to be used only once. Below is the code snippet:

  • Define a BaseActivity and set the FLAG_SECURE in that Activity :
public class BaseActivity extends Activity {

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        /**
         * approach 1: create a base activity and set the FLAG_SECURE in it,
         * Extend all other activities, Fragments from this activity
         */
        getWindow().setFlags(LayoutParams.FLAG_SECURE,
                LayoutParams.FLAG_SECURE);
    }
  • Take this BaseActivity as superclass for all the other Activities.
public class LoginActivity extends BaseActivity
public class MainActivity extends BaseActivity

By doing so, when the onCreate() method of the super class is overrriden, the FLAG_SECURE automatically gets set for all the child activities.

  • There might be cases where one wants to unset the FLAG_SECURE for some screens. In such cases, in child activity can use the below code:
@Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        /*
        clear flags: It can be used when user need to enable screen capturing in some applications
         */
        getWindow().clearFlags(WindowManager.LayoutParams.FLAG_SECURE);
    }

More information on FLAG_SECURE API can be found here: FLAG_SECURE

Pavan Walvekar - 26 Dec 2014 at 12:02