[Security Improvement] SymantecPGP Viewer for Android: Weak overlay security

Description

Symantec PGP Viewer does not implement FLAG_SECURE flag in its application. This allows any malicious application to be able to capture screenshots and record the screen. When a user opens an encrypted email via Symantec PGP Viewer, a malicious user could potentially capture the screen and get the decrypted contents of the email.

CVSS

NA

Researcher

Tanoy Bose (xen1thlabs)

POC

Certain applications from the google play store utilize the “draw-on-top” access to capture the UI. Such access permission is available with applications like skype. This application can now also access the MediaProjection API to record the screen, resulting in the application to record the entire screen.
To protect from this, the application needs to implement FLAG_SECURE flag in the application.
For our POC, we testing this using a screen recorder application called AZ Free Recorder.

Vulnerability?

I do not classify this as a critical security vulnerability. However, this is definitely a good security improvement that can be utilized to prevent attacks like Cloak and Dagger. If the intended use of this application is for secure/ confidential communication, I would not consider this to be a secure practice.

Disclosure Timeline

In our past experience with Symantec, they stated end point based security vulnerabilities/ improvements are not a concern for SymantecPGPViewer. They intend only to fix security issues that compromise PGP integrity over the network. And hence won’t fix such issues.

Namaste.
You can know about me at my portfolio.
I follow my own Vulnerability Disclosure Policy.
Most of my work is listed here.