HMV-01: Auto-Generated Screenshots


Description

Applications which go to background are screenshoted per default for a better user experience. Unfortunately other apps can access these saved screenshots and may discover sensitive data such as banking information, passwords or personal information.

Example

All applications in the background can be viewed (screenhots done).

Mitigation

Use the FLAG_SECURE to hide the screen in background. The app in the middle shows just a black/ white screen.

References

OWASP-MSTG Android Reference

OWASP-MSTG iOS Reference