Comment by JimDabell
18 hours ago
> Why do the "security" apps ALWAYS have to have this anti-feature?
Every pen test I’ve seen for mobile apps has always had this as an item, even when it’s completely unjustified for the type of app. It’s on their checklist and they will always flag it to show they are doing their job. If you don’t have anybody in the team who is willing and able to say no to a pen tester on a security matter, this kind of thing will happen.
Agreed.
I'm the person who enjoys saying no to this kind of thing. Also, we will not disable copy and paste for password fields, and we will not make our users rotate their passwords every 11 days ("because we align with NIST guidelines which say not to do that").
This is exactly how I recognise bad "pentest" firms and tell all my friends and clients the same. If the pentest contains report any mention of [screenshot, obfuscation, root detection, attestation] it's bullshit and you should demand your money back (you won't get it, but still, you should demand it) and tell everyone in your circle to not give another cent to them.
Unfortunately the point of a pentest/audit isn't to do one, but merely to check the box saying you did one, and I'm sure bad ones must be cheaper and still allow you to check the box.
I simply delete and rate 1* any app that doesn't work, including Schwab.
Schwab's mobile website is actually decent, and, basically, works better than their app in every way.
I'm honestly disappointed Android doesn't do something about these broken apps that don't let me keep records of my own stuff.
It should not be possible for an app to prevent screenshot use 100% of the time.
There should also be a 180° on the checklists to flag any app that uses disable-screenshot 100% of the time, similar to how we went from requiring people to change passwords every 14 days, to removing the mandatory-password-change policy in its entirety.