Comment by JimDabell
1 day ago
> Why do the "security" apps ALWAYS have to have this anti-feature?
Every pen test I’ve seen for mobile apps has always had this as an item, even when it’s completely unjustified for the type of app. It’s on their checklist and they will always flag it to show they are doing their job. If you don’t have anybody in the team who is willing and able to say no to a pen tester on a security matter, this kind of thing will happen.
Agreed.
I'm the person who enjoys saying no to this kind of thing. Also, we will not disable copy and paste for password fields, and we will not make our users rotate their passwords every 11 days ("because we align with NIST guidelines which say not to do that").
This is exactly how I recognise bad "pentest" firms and tell all my friends and clients the same. If the pentest contains report any mention of [screenshot, obfuscation, root detection, attestation] it's bullshit and you should demand your money back (you won't get it, but still, you should demand it) and tell everyone in your circle to not give another cent to them.
I don't know if anything has changed but 10 years ago I was part of an effort to make the base OS of our product FIPS-compliant. FIPS was both prescriptive and outdated. And it turned out that the changes required to make everything FIPS-compliant actually made our product demonstrably less secure.
But we had to ship it anyway, otherwise a non-negligible portion of our customers could not legally buy our product.
Unfortunately the point of a pentest/audit isn't to do one, but merely to check the box saying you did one, and I'm sure bad ones must be cheaper and still allow you to check the box.
I simply delete and rate 1* any app that doesn't work, including Schwab.
Schwab's mobile website is actually decent, and, basically, works better than their app in every way.
I'm honestly disappointed Android doesn't do something about these broken apps that don't let me keep records of my own stuff.
It should not be possible for an app to prevent screenshot use 100% of the time.
There should also be a 180° on the checklists to flag any app that uses disable-screenshot 100% of the time, similar to how we went from requiring people to change passwords every 14 days, to removing the mandatory-password-change policy in its entirety.