Comment by diggernet

Comment by diggernet 3 months ago

18 replies

View on Hacker News

> "Apps were automatically taking screenshots of themselves and sending them to third parties. In one case, the app took video of the screen activity and sent that information to a third party.”

> Out of over 17,000 Android apps examined, more than 9,000 had potential permissions to take screenshots. And a number of apps were found to actively be doing so, taking screenshots and sending them to third-party sources.

Which permission is that, and how do you detect which apps are doing that and stop them?

grishka 3 months ago

There is a permission to record the screen. It requires user consent and there's an icon in the status bar while it's being used. It's impossible to use this covertly.

What I believe the article is speaking about, is an app taking screenshots of its own windows. This is obviously possible and obviously requires no permissions whatsoever. Just make a screen-sized bitmap and do

    getWindow().getDecorView().draw(new Canvas(bitmap));
It does sound believable that third-party advertising/marketing/tracking SDKs, which many apps are chock full of, could be doing this.
Reply View 7 replies
  • daveguy 3 months ago

    > It's impossible to use this covertly.

    *Unless there's a zero-day that allows it.

    Reply View 6 replies
    • grishka 3 months ago

      If you're going to exploit a privilege escalation vulnerability from your app, why not just grab the most interesting parts of the /data partition while you're at it?

      Reply View 2 replies
      • daveguy 3 months ago

        Sure why not. I wasn't implying that a zero day that allows surreptitiously recording the phone screen is the only shitty thing that can be done with your phone with a zero day.

        Also, it is possible for a zero day to break specific privileges (like screen record without notification) rather than root.

        Reply View 0 replies
    • simonw 3 months ago

      Burning a zero-day like that for targeted advertising seems extremely unlikely to me.

      Reply View 2 replies
      • [removed] 3 months ago
        [deleted]
        Reply View 0 replies
      • daveguy 3 months ago

        I think you missed the point GP was making. I believe they meant the vector might come from that kind of SDK. Not that someone who had a zero day to allow surreptitiously recording phone screens would use it for that purpose.

        Reply View 0 replies
quicklime 3 months ago

I followed the links to the study they referenced, and it says:

> Unlike the camera and audio APIs, the APIs for taking screenshots and recording video of the screen are not protected by any permission

However they also talk about doing static analysis on 9,100 out of the 17,260 apps, to determine (amongst other things) “whether media APIs are actually referenced in the app’s code”.

They then talk about doing a dynamic analysis to see which apps actually call the APIs (rather than just link to a library that might call it, but the app never calls that function the library).

The soundbite is bad, it shouldn’t say “had potential permissions to take screenshots”, it should just say “had the potential to take screenshots”

Reply View 0 replies
maxlybbert 3 months ago

I doubt there's a specific "ability to send surreptitious screen shots to developer" permission. It must be a combination of permissions: one for making network connections, another for capturing the screen without making it obvious to the user, etc.

Reply View 5 replies
  • fzzzy 3 months ago

    For apps that want to send their own screens to third parties, there's no permission needed or possible. The app is drawing the content to the screen. It knows what the content is.

    Reply View 4 replies
    • jeroenhd 3 months ago

      If you're trying to track user information (notifications, actual timezone/language, battery level, VPN usage, etc) you can use screenshots of the current screen and open keyboard. You can also see stuff from other apps if the user is using split screen modes or has chat bubbles open. Apps can otherwise only access the data they render.

      The research talks about thousands of apps but I do wonder how many of these are apps people use every day and how many are Chinese clones of freemium games and other shitware with a fraction of daily users. All we know from public app store data is the number of "downloads" and even that is distributed as a range. I doubt these 19000 apps were found by doing a survey on what people actually had on their phones.

      Reply View 3 replies
      • fzzzy 2 months ago

        My point is each app being able to send its own data to nine services is just as bad as apps trying to record extraneous data from the device. App surveillance, and OS privacy features are an arms race that cannot be won.

        Reply View 0 replies
      • badc0ffee 3 months ago

        Is that true, that these apps can capture screenshots of the notification area/clock/chat bubbles?

        Reply View 1 reply
        • gruez 3 months ago

          Probably not, but all the information can be obtained via system APIs. There's no shortage of "system info" apps that show all manner of information about your phone (including battery level and network status), and don't require any special permission prompts.

          Reply View 0 replies
ch4s3 3 months ago

When it's a developer tool we call it RUM or real user monitoring. It's super useful for solving bugs, but obviously the potential for abuse or user hostile activity is super high.

Reply View 0 replies
vjvjvjvjghv 3 months ago

As far as permissions go, phones should have a log for when the permissions are actually used and how often.

Reply View 0 replies
simonw 3 months ago

... and is this permission to take screenshots of anything else you are doing on your phone at any time, or is it permission to take screenshots while you have that app open?

Reply View 0 replies