Authenticator app just needs to implement FLAG_SECURE, no?
Seems more like an app dev issue
Comment on Hackers can steal 2FA codes and private messages from Android phones
thingsiplay@beehaw.org 1 day ago
Pixnapping attacks begin with the malicious app invoking Android programming interfaces that cause the authenticator or other targeted apps to send sensitive information to the device screen. The malicious app then runs graphical operations on individual pixels of interest to the attacker. Pixnapping then exploits a side channel that allows the malicious app to map the pixels at those coordinates to letters, numbers, or shapes.
It works like screenshotting the 2FA tool. It’s an Android issue.
Little bit off-topic: Linux PC
BTW this is a reminder why we need a secure Wayland solution on our desktop Linux PC. Because this sort of stealing under X11 is possible too.
Midnitte@beehaw.org 1 day ago
jherazob@beehaw.org 1 day ago
Looks like this works regardless of that
Midnitte@beehaw.org 1 day ago
Looks like you might be right - though I imagine disabling the ability to draw over apps with that security flag in place would do a lot to mitigate… but… im also not a security researcher
majster@lemmy.zip 1 day ago
I think lesson is different. Even with isolation, apps can escape it with side channels.