Android OS FLAG_SECURE Information Disclosure

`[Blog post here:  
https://wwws.nightwatchcybersecurity.com/2018/05/24/android-os-didnt-use-flag_secure-for-sensitive-settings-cve-2017-13243/]  
  
SUMMARY  
  
Android OS did not use the FLAG_SECURE flag for sensitive settings,  
potentially exposing sensitive data to other applications on the same  
device with the screen capture permissions. The vendor (Google) fixed  
this issue in 2018-02-01 Pixel security update. Google has assigned  
CVE-2017-13243 to track this issue.  
  
DETAILS  
  
Android OS is a mobile operating systems for phones and tablets  
developed by Google. The OS has multiple screens where sensitive  
information maybe shown such as the device lock screen, passwords in  
the WiFi settings, pairing codes for Bluetooth, etc.  
  
FLAG_SECURE is a special flag available to Android developers that  
prevents a particular screen within an application from being seen by  
other application with screen capture permissions, having screenshots  
taken by the user, or have the screen captured in the Recent Apps  
portion of Android OS. We have published an extensive post last year  
discussing this feature is and what it does:  
https://wwws.nightwatchcybersecurity.com/2016/04/13/research-securing-android-applications-from-screen-capture/  
  
During our testing of various Google mobile applications, we found  
that the lock screen, password entry screen for WiFi, and the screen  
for entering pairing codes for Bluetooth devices did not use  
FLAG_SECURE to prevent other applications for capturing that  
information. By contrast other Google applications like Android Pay  
and Google Wallet use this flag to prevent capture of sensitive  
information. Exploiting this bug requires user cooperation in  
installing a malicious app and activating the actual screen capture  
process, thus the likelihood of exploitation is low.  
  
To reproduce:  
1. Lock the device, OR go to WiFi settings and try to add a network,  
or try to pair a Bluetooth device.  
2. Press Power and volume down to capture screenshot.  
3. Confirm that a screenshot can be taken.  
  
All testing was done on Android 7.1.2, security patch level of May  
5th, 2017, on Nexus 6P. Vulnerable versions of Android include: 5.1.1,  
6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 and 8.0.  
  
VENDOR RESPONSE  
  
This issue was responsibly reported to the vendor and was fixed in the  
2018-02-01 Pixel bulletin. The vendor assigned CVE-2017-13243 to track  
this issue.  
  
BOUNTY INFORMATION  
  
This issue satisfied the requirements of the Android Security Rewards  
program and a bounty was paid.  
  
REFERENCES  
  
Android ID # A-38258991  
CVE ID: CVE-2017-13243  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13243  
CVSS scores: 7.5 (CVSS v3.0) / 5.0 (CVSS v2.0)  
Google Bug # 38254822  
Google Pixel Bulletin: 2018-02-1  
https://source.android.com/security/bulletin/pixel/2018-02-01  
  
CREDITS  
  
Advisory written by Yakov Shafranovich.  
  
TIMELINE  
  
2017-05-12: Initial report to the vendor  
2017-06-15: Follow-up information sent to the vendor  
2017-06-19: Follow-up communication with the vendor  
2018-01-02: Vendor communicates plan to patch this issue  
2018-01-29: Bounty reward issued  
2018-02-01: Vendor publishes a patch for this issue  
2018-05-24: Public disclosure / advisory published  
`