Comment by cnst
1 day ago
> "Additionally, the app prevents devices from taking screenshots."
Why do the "security" apps ALWAYS have to have this anti-feature? It's especially annoying when employed by the banking apps.
Famously, Schwab had some issues where it didn't properly keep track of orders during highest loads (people ending up selling more shares than they had even in IRA accounts), yet conveniently they prevent users from taking screenshots of their app, so you wouldn't be able to prove that you did cancel or replace the order and did receive the cancel confirmation, before it executed anyways. Of course, if it's an IRA account, selling more shares than you own, is clearly Schwab's bug, but not being able to keep these things locally, is one of the biggest anti-features of modern apps.
It's a choice that Google made to obfuscate their DRM by calling it "FLAG_SECURE", at the cost of usability and security for everyone else. Just check out this delightful doublespeak: https://developer.android.com/security/fraud-prevention/acti...
> When a window is flagged with FLAG_SECURE, Android prevents screenshots from being taken and prevents the window from being displayed on a non-secure display, such as a TV or projector. This helps to protect the information that is being displayed in the window from being accessed by unauthorized people.
What's a "secure display"? Why, none other than our old friend HDCP: https://source.android.com/docs/compatibility/16/android-16-...
So the docs might imply that "the information" is your banking information, and the "unauthorized people" are, I guess, dudes with binoculars outside your window. But actually "the information" is Netflix and the "unauthorized people" are you.
That's why you can project your OTP codes on a 50-foot wall as long as your projector is HDCP-compliant.
> Why do the "security" apps ALWAYS have to have this anti-feature?
Every pen test I’ve seen for mobile apps has always had this as an item, even when it’s completely unjustified for the type of app. It’s on their checklist and they will always flag it to show they are doing their job. If you don’t have anybody in the team who is willing and able to say no to a pen tester on a security matter, this kind of thing will happen.
Agreed.
I'm the person who enjoys saying no to this kind of thing. Also, we will not disable copy and paste for password fields, and we will not make our users rotate their passwords every 11 days ("because we align with NIST guidelines which say not to do that").
This is exactly how I recognise bad "pentest" firms and tell all my friends and clients the same. If the pentest contains report any mention of [screenshot, obfuscation, root detection, attestation] it's bullshit and you should demand your money back (you won't get it, but still, you should demand it) and tell everyone in your circle to not give another cent to them.
I don't know if anything has changed but 10 years ago I was part of an effort to make the base OS of our product FIPS-compliant. FIPS was both prescriptive and outdated. And it turned out that the changes required to make everything FIPS-compliant actually made our product demonstrably less secure.
But we had to ship it anyway, otherwise a non-negligible portion of our customers could not legally buy our product.
Unfortunately the point of a pentest/audit isn't to do one, but merely to check the box saying you did one, and I'm sure bad ones must be cheaper and still allow you to check the box.
I simply delete and rate 1* any app that doesn't work, including Schwab.
Schwab's mobile website is actually decent, and, basically, works better than their app in every way.
I'm honestly disappointed Android doesn't do something about these broken apps that don't let me keep records of my own stuff.
It should not be possible for an app to prevent screenshot use 100% of the time.
There should also be a 180° on the checklists to flag any app that uses disable-screenshot 100% of the time, similar to how we went from requiring people to change passwords every 14 days, to removing the mandatory-password-change policy in its entirety.
At a previous employer of mine, it was common to share dev accounts for certain things. These were not security sensitive things. They were there purely for dev purposes and these were things like anayltics tools and stuff that the software being built had to integrate with, so they were basically development sandboxes.
Many of these tools had MFA enabled and so it was common to share MFA codes on Slack because the MFA code was sent to an email address that only one person had access to.
One lunch and learn a group of developers shared how they solved this problem by having the MFA codes pushed to a device that was effectively an on-prem server / dev box that they installed custom built software on to take a screenshot of the MFA code and broadcast it on the relevant Slack channel.
The main point of the lunch and learn, however, wasn't so much to share the tool that they had built, but to talk about how they got around the Mac OS security protections that are there to prevent this sort of thing.
My first thought was "we've just written malware."
I'm specifically responding to this sentence of yours:
> It's especially annoying when employed by the banking apps.
After my experience with that MFA code sniffer ... I know exactly why banking apps and other privacy/security-centred apps prevent taking screenshots :)
I fail to see how your conclusion follows from the premise.
Banking apps in the US don't even show any PINs for 2FA, so, why exactly is Schwab doing that again?
BTW, Google Wallet does let you take screenshots of all the views except for just one or two views where you enter card number, billing and card security code. Honestly, even that is an overreach; it's not like I can't use the camera to take a photo of my credit card with CVV in view, so, why should the camera function of any app prevent that again? Google never blocks screenshots of any transactions, last-4 of any card, or any other screens. If they ever did, I'd be far less happy with them, and would go out of my way to find an alternative contactless provider. Wells Fargo used to provide contactless on Android in their app for their own cards, but, probably thanks to Apple, this feature was removed for feature parity with iOS.
You're laser focusing on MFA sniffing, specifically. The point is that malware can take screenshots to harvest information. Your banking information has a ton of sensitive information about you that could be used for a variety of different purposes, such as for identity theft. My point was that making it impossible to take screenshots is trying to protect against the possibility that there is malware harvesting anything through screenshots.
>why should the camera function of any app prevent that again?
Because you taking a photo of it with a physical camera is intentional. Another app on the device screen recording that view may not be intentional by the user.
10 replies →
Yes, but that can be simply solved by the banking app to re-ask for the PIN instead of directly declining to take the screenshot.
If it asks me again my PIN when I'm about to hit "transfer" when sending money, there should be no problem in doing the same for the screenshot.
Instead at least my banking app forces me to navigate through an unfamiliar menu and donwload a PDF. A waste of time compared to taking a screenshot.
I replied to someone else with the same response. I'll repeat it here. The point of my reply wasn't to do with MFA codes, specifically, but the fact that MALWARE can take screenshots in order to harvest things, such as MFA codes or anything else. Preventing screenshots is likely, in my opinion, a defence against malware harvesting anything that way. Your online banking can present a lot of sensitive information visually that could be used for things like identity theft etc.
And yes, there are other ways that malware can harvest information and if your device has been root-kitted you're screwed no matter what. But the fact that there are 100 ways to attack you doesn't mean the banks don't see value in trying to prevent 50 of them.
Some do that, and it's super annoying. I take a screenshot, and then silently my login doesn't work, with a weird error returned instead. Get another PIN, type it in, take a screenshot before submit, again get a nondescript error that makes no sense.
Don't they star the PIN in any case?
Why exactly is me taking a screenshot of my signup process for my records suddenly a disqualifier for signing up?
If all these companies never lied to us about the terms of the deals we're signing up for, needing proof of what actually happened, we'd never be taking these screenshots.
Honestly, this whole "security" theatre ought to be investigated by the consumer protection agencies, and any app that prevents screenshots being taken, or gives these nondescript errors when someone takes it and is subsequently unable to sign-in, should be fined for their anti-consumer behaviours.
I've gone off Schwab big time over the past year.
a) I cancelled my "intelligent advisor" accounts (which was a pain to do by itself) and had the money xferred back into regular IRA accounts. After this was complete, I was no longer able to see any trade history for the past 12 years of those Intelligent Advisor accounts, *even though they were ostensibly backed by regular Schwab IRAs*, and my historical "wealth" tracking in Schwab made it look like I'd simply never had the $NNN^n that was in those accounts for that period of time, or in other words as if I'd added $NNN^n to my accounts on the day of the transfer. Definitely some hackery there. I had one Schwab rep who acknowledged this as a (rather severe) problem, but the other 3 I spoke to did not even understand why it was an issue.
b) For an example of their approach to data in general, take a look at their historical chart for the WEED ETF around the time of the reverse split in 2023, and compare it to how WEED themselves chart it, and how Fidelity charts it. Schwab's presentation of the price history isn't justifiable, and essentially omits information. (https://www.schwab.com/research/etfs/quotes/summary/weed, https://www.roundhillinvestments.com/etf/weed/, https://digital.fidelity.com/prgw/digital/research/quote/das...). Their support brushed this off.
That's a very shallow protection. Even if one has no other camera (phone, table, a real camera) there are always friends and relatives that can help and take a picture of the screen. Furthermore a picture of the screen and the phone around it has a more real feel than a screenshot that could be photoshopped.
A screenshot develops evidence of something happening or not happening according to the person who took the screenshot.
If you start claiming that it can be photoshopped, well, what prevents anyone from photoshopping a real camera shot? Or photoshopping a screenshot, and then taking a "real" shot with a camera? With AI, you can now even do this with video, too.
For practical purposes, your suggestion is simply unrealistic. It's unrealistic to be using a second phone to be taking random confirmations from your main phone, and it's even more unrealistic if you're doing trading where every second counts, and where the whole reason that Schwab cannot execute properly, is because orders are placed and cancelled than once. It's even yet more unrealistic because of focus and angle issues, and reduced precision, and increased file size etc.
BTW, I have personally encountered this consistency bug at Schwab Brokerage. I wasn't even using Schwab's app, precisely because it doesn't let you take screenshots. In my case, the loss was not major, and not worth pursuing.
But other people reported that their IRA accounts sold shares short as a result of this consistency issue, which is kind of a problem for everybody when you cannot buy it back if it has 10x'ed since the sale like GME once had, and cannot even add any more money even if you have it, because it's a tax-advantaged account with limits on how much you can add each year.