444 – Sensitive Information in Auto-Generated Screenshots
Description
A screenshot of the current activity is taken when an app goes into background and displayed for aesthetic purposes when the app returns to the foreground. However, this may leak sensitive information.
Impact
- Leak sensitive information.
Recommendation
Be sure to configure the FLAG_SECURE option in the WindowsManager for android apps. For IOS apps include a default background image each time the application is in the background, overriding the current view.
Threat
Attacker with access to the unlocked physical device.
Expected Remediation Time
Score 4.0
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
- Attack vector: P
- Attack complexity: L
- Attack Requirements: N
- Privileges required: L
- User interaction: P
- Confidentiality (VC): H
- Integrity (VI): N
- Availability (VA): N
- Confidentiality (SC): N
- Integrity (SI): N
- Availability (SA): N
Threat 4.0
- Exploit maturity: P