> "Apps were automatically taking screenshots of themselves and sending them to third parties. In one case, the app took video of the screen activity and sent that information to a third party.”
> Out of over 17,000 Android apps examined, more than 9,000 had potential permissions to take screenshots. And a number of apps were found to actively be doing so, taking screenshots and sending them to third-party sources.
Which permission is that, and how do you detect which apps are doing that and stop them?
There is a permission to record the screen. It requires user consent and there's an icon in the status bar while it's being used. It's impossible to use this covertly.
What I believe the article is speaking about, is an app taking screenshots of its own windows. This is obviously possible and obviously requires no permissions whatsoever. Just make a screen-sized bitmap and do
getWindow().getDecorView().draw(new Canvas(bitmap));
> It's impossible to use this covertly.
*Unless there's a zero-day that allows it.
If you're going to exploit a privilege escalation vulnerability from your app, why not just grab the most interesting parts of the /data partition while you're at it?
Sure why not. I wasn't implying that a zero day that allows surreptitiously recording the phone screen is the only shitty thing that can be done with your phone with a zero day.
Also, it is possible for a zero day to break specific privileges (like screen record without notification) rather than root.
Burning a zero-day like that for targeted advertising seems extremely unlikely to me.
I think you missed the point GP was making. I believe they meant the vector might come from that kind of SDK. Not that someone who had a zero day to allow surreptitiously recording phone screens would use it for that purpose.
I followed the links to the study they referenced, and it says:
> Unlike the camera and audio APIs, the APIs for taking screenshots and recording video of the screen are not protected by any permission
However they also talk about doing static analysis on 9,100 out of the 17,260 apps, to determine (amongst other things) “whether media APIs are actually referenced in the app’s code”.
They then talk about doing a dynamic analysis to see which apps actually call the APIs (rather than just link to a library that might call it, but the app never calls that function the library).
The soundbite is bad, it shouldn’t say “had potential permissions to take screenshots”, it should just say “had the potential to take screenshots”
I doubt there's a specific "ability to send surreptitious screen shots to developer" permission. It must be a combination of permissions: one for making network connections, another for capturing the screen without making it obvious to the user, etc.
For apps that want to send their own screens to third parties, there's no permission needed or possible. The app is drawing the content to the screen. It knows what the content is.
If you're trying to track user information (notifications, actual timezone/language, battery level, VPN usage, etc) you can use screenshots of the current screen and open keyboard. You can also see stuff from other apps if the user is using split screen modes or has chat bubbles open. Apps can otherwise only access the data they render.
The research talks about thousands of apps but I do wonder how many of these are apps people use every day and how many are Chinese clones of freemium games and other shitware with a fraction of daily users. All we know from public app store data is the number of "downloads" and even that is distributed as a range. I doubt these 19000 apps were found by doing a survey on what people actually had on their phones.
Is that true, that these apps can capture screenshots of the notification area/clock/chat bubbles?
Probably not, but all the information can be obtained via system APIs. There's no shortage of "system info" apps that show all manner of information about your phone (including battery level and network status), and don't require any special permission prompts.
When it's a developer tool we call it RUM or real user monitoring. It's super useful for solving bugs, but obviously the potential for abuse or user hostile activity is super high.
As far as permissions go, phones should have a log for when the permissions are actually used and how often.
... and is this permission to take screenshots of anything else you are doing on your phone at any time, or is it permission to take screenshots while you have that app open?