preventRecentScreenshots

Author: Matthieu Gicquel

README.md

@@ -4,7 +4,7 @@
 
 - [SSL public key pinning](#ssl-pinning)
 - [Certificate transparency](#certificate-transparency)
-- [🚧 "Recent screenshots" prevention](#recent-screenshots-prevention)
+- [Prevent "recent screenshots"](#prevent-recent-screenshots)
 
 > **⚠️ Disclaimer**<br/>
 > This package is intended to help implement a few basic security features but does not in itself guarantee that an app is secure.<br/>
@@ -32,6 +32,10 @@ Add the config plugin to `app.config.ts` / `app.config.js` / `app.json`:
             "TQEtdMbmwFgYUifM4LDF+xgEtd0z69mPGmkp014d6ZY=",
             "rFjc3wG7lTZe43zeYTvPq8k4xdDEutCmIhI5dn4oCeE="
           ]
+        },
+        "preventRecentScreenshots": {
+          "ios": { "enabled": true },
+          "android": { "enabled": true }
         }
       }
     ]
@@ -93,9 +97,29 @@ To test that SSL pinning is working as expected, you can:
 
 None, enabled by default.
 
-## "Recent screenshots" prevention
+## Prevent "recent screenshots"
 
-TODO
+> **🥷 What's the threat?** When the OS terminates the app, it may take a screenshot and store it on the device to display in the app switcher. This screenshot could leak sensitive data
+
+Mitigating this threat is achieved by:
+
+- Using [`FLAG_SECURE`](https://developer.android.com/reference/android/view/WindowManager.LayoutParams#FLAG_SECURE) on Android < 13
+- Using [`Activity.setRecentScreenshotsEnabled`](<https://developer.android.com/reference/android/app/Activity#setRecentsScreenshotEnabled(boolean)>) on Android >= 13
+- Covering the app with the splashscreen on iOS (requires [expo-splash-screen](https://docs.expo.dev/versions/latest/sdk/splash-screen/) to be setup)
+
+### Configuration
+
+```jsonc
+[
+  "@bam.tech/react-native-app-security",
+  {
+    "preventRecentScreenshots": {
+      "ios": { "enabled": true },
+      "android": { "enabled": true }
+    }
+  }
+]
+```
 
 # Contributing
 

android/build.gradle

@@ -71,6 +71,7 @@ android {
 
     // package-specific config fields
     buildConfigField("String", "RNAS_PINNING_CONFIG", "\"${safeExtGet("RNAS_PINNING_CONFIG", "{}")}\"")
+    buildConfigField("boolean", "RNAS_PREVENT_RECENT_SCREENSHOTS", safeExtGet("RNAS_PREVENT_RECENT_SCREENSHOTS", "false"))
   }
   lintOptions {
     abortOnError false

android/src/main/java/tech/bam/rnas/AndroidReactActivityLifecycleListener.kt

@@ -1,14 +1,36 @@
 package tech.bam.rnas
 
 import android.app.Activity
+import android.os.Build
+import android.view.WindowManager
 import android.os.Bundle
 import expo.modules.core.interfaces.ReactActivityLifecycleListener
 
 import com.facebook.react.modules.network.OkHttpClientProvider;
 
 class AndroidReactActivityLifecycleListener : ReactActivityLifecycleListener {
+  override fun onResume(activity: Activity) {
+    super.onResume(activity)
+
+    if(BuildConfig.RNAS_PREVENT_RECENT_SCREENSHOTS && Build.VERSION.SDK_INT < 33) {
+      activity.window.clearFlags(WindowManager.LayoutParams.FLAG_SECURE);
+    }
+  }
+
+  override fun onPause(activity: Activity) {
+    super.onPause(activity)
+
+    if(BuildConfig.RNAS_PREVENT_RECENT_SCREENSHOTS && Build.VERSION.SDK_INT < 33) {
+      activity.window.setFlags(WindowManager.LayoutParams.FLAG_SECURE, WindowManager.LayoutParams.FLAG_SECURE);
+    }
+  }
+
   override fun onCreate(activity: Activity, savedInstanceState: Bundle?) {
     super.onCreate(activity, savedInstanceState)
     OkHttpClientProvider.setOkHttpClientFactory(SSLPinning())
+
+    if(BuildConfig.RNAS_PREVENT_RECENT_SCREENSHOTS && Build.VERSION.SDK_INT >= 33) {
+      activity.setRecentsScreenshotEnabled(false)
+    }
   }
 }

example/app.json

@@ -38,6 +38,9 @@
               "We74o5ME3USRtL6+B2UhXnwY9FR91QPJMYDtUNk6tEc=",
               "zCTnfLwLKbS9S2sbp+uFz4KZOocFvXxkV06Ce9O5M2w="
             ]
+          },
+          "preventRecentScreenshots": {
+            "enabled": true
           }
         }
       ]

expo-module.config.json

@@ -1,7 +1,8 @@
 {
   "platforms": ["ios", "android"],
   "ios": {
-    "modules": ["RNASModule"]
+    "modules": ["RNASModule"],
+    "appDelegateSubscribers": ["RNASAppLifecycleDelegate"]
   },
   "android": {
     "modules": ["tech.bam.rnas.RNASModule"]

ios/RNASAppLifecyleDelegate.swift

@@ -0,0 +1,22 @@
+import ExpoModulesCore
+import UIKit
+
+public class RNASAppLifecycleDelegate: ExpoAppDelegateSubscriber {
+    public func applicationDidFinishLaunching(_ application: UIApplication) {
+        application.ignoreSnapshotOnNextApplicationLaunch()
+    }
+    
+    public func applicationWillResignActive(_ application: UIApplication) {
+        // https://developer.apple.com/documentation/uikit/app_and_environment/scenes/preparing_your_ui_to_run_in_the_background
+        
+        // TODO: better error handling in case there's an issue with the splashscreen (instead of !)
+        let launchScreen = UIStoryboard(name: "SplashScreen", bundle: nil).instantiateInitialViewController()!
+        launchScreen.modalPresentationStyle = .overFullScreen
+        
+        UIApplication.shared.windows.first?.rootViewController?.present(launchScreen, animated: false)
+    }
+        
+    public func applicationDidBecomeActive(_ application: UIApplication) {
+        UIApplication.shared.windows.first?.rootViewController?.dismiss(animated: false)
+    }
+}

plugin/src/index.ts

@@ -1,16 +1,16 @@
 import { ConfigPlugin } from "@expo/config-plugins";
 import withSSLPinning from "./withSSLPinning";
+import withpreventRecentScreenshots from "./withPreventRecentScreenshots";
+import { RNASConfig } from "./types";
 
-type Props = {
-  sslPinning?: {
-    [hostName: string]: string[];
-  };
-};
-
-const withRNAS: ConfigPlugin<Props> = (config, props) => {
+const withRNAS: ConfigPlugin<RNASConfig> = (config, props) => {
   config = withSSLPinning(config, props.sslPinning);
 
+  config = withpreventRecentScreenshots(config, props.preventRecentScreenshots);
+
   return config;
 };
 
 export default withRNAS;
+
+export type { RNASConfig };

plugin/src/types.ts

@@ -0,0 +1,9 @@
+export type RNASConfig = {
+  sslPinning?: {
+    [hostName: string]: string[];
+  };
+  preventRecentScreenshots?: {
+    ios?: { enabled: boolean };
+    android?: { enabled: boolean };
+  };
+};

plugin/src/withPreventRecentScreenshots.ts

@@ -0,0 +1,56 @@
+import {
+  ConfigPlugin,
+  withInfoPlist,
+  withGradleProperties,
+} from "@expo/config-plugins";
+import { RNASConfig } from "./types";
+
+type Props = RNASConfig["preventRecentScreenshots"];
+
+const withpreventRecentScreenshots: ConfigPlugin<Props> = (config, props) => {
+  config = withInfoPlist(config, (config) => {
+    const infoPlist = config.modResults;
+
+    const isEnabled = props?.ios?.enabled ?? false;
+
+    if (!isEnabled) {
+      delete infoPlist.RNAS_PREVENT_RECENT_SCREENSHOTS;
+      return config;
+    }
+
+    infoPlist.RNAS_PREVENT_RECENT_SCREENSHOTS = true;
+
+    return config;
+  });
+
+  config = withGradleProperties(config, (config) => {
+    const gradleProperties = config.modResults;
+
+    const isEnabled = props?.android?.enabled ?? false;
+
+    const existingIndex = gradleProperties.findIndex(
+      (prop) =>
+        prop.type === "property" &&
+        prop.key === "RNAS_PREVENT_RECENT_SCREENSHOTS"
+    );
+    if (existingIndex !== -1) {
+      gradleProperties.splice(existingIndex, 1);
+    }
+
+    if (!isEnabled) {
+      return config;
+    }
+
+    gradleProperties.push({
+      type: "property",
+      key: "RNAS_PREVENT_RECENT_SCREENSHOTS",
+      value: "true",
+    });
+
+    return config;
+  });
+
+  return config;
+};
+
+export default withpreventRecentScreenshots;

plugin/src/withSSLPinning.ts

@@ -3,8 +3,9 @@ import {
   withInfoPlist,
   withGradleProperties,
 } from "@expo/config-plugins";
+import { RNASConfig } from "./types";
 
-type Props = { [hostName: string]: string[] } | undefined;
+type Props = RNASConfig["sslPinning"];
 
 const withSSLPinning: ConfigPlugin<Props> = (config, props) => {
   config = withInfoPlist(config, (config) => {