Skip to content

Add a toggle to allow screenshots through FLAG SECURE#313

Open
BasedJellyfish11 wants to merge 699 commits into
GrapheneOS:17from
BasedJellyfish11:16-qpr2
Open

Add a toggle to allow screenshots through FLAG SECURE#313
BasedJellyfish11 wants to merge 699 commits into
GrapheneOS:17from
BasedJellyfish11:16-qpr2

Conversation

@BasedJellyfish11

@BasedJellyfish11 BasedJellyfish11 commented Feb 20, 2026

Copy link
Copy Markdown

issue: GrapheneOS/os-issue-tracker#664

Adds a setting to developer options to disable flag secure globally. Actual setting is implemented in GrapheneOS/platform_packages_apps_Settings#411

image image

@thestinger

Copy link
Copy Markdown
Member

We only want to override disabling screenshots instead of the other parts of it.

@BasedJellyfish11

Copy link
Copy Markdown
Author

AFAIK flag secure is only used for screenshots (and casting, which seems like the same use case)

https://developer.android.com/security/fraud-prevention/activities

FLAG_SECURE

FLAG_SECURE is a Window flag that tells Android not to allow screenshots or to display the window view on a non-secure display (such as Casting the screen). This is useful for applications that need to protect sensitive information, like banking apps or password managers. When a window is flagged with FLAG_SECURE, Android prevents screenshots from being taken and prevents the window from being displayed on a non-secure display, such as a TV or projector. This helps to protect the information that is being displayed in the window from being accessed by unauthorized people.

Is the ask to decouple the setting from the casting functionality? Or just a double check

@thestinger

Copy link
Copy Markdown
Member

It does change other things including it not generating thumbnails for recent apps.

@BasedJellyfish11

Copy link
Copy Markdown
Author

Sounds good, let me look into what needs to change

@BasedJellyfish11

Copy link
Copy Markdown
Author

Should be good now

2026-02-20 19-08-59

@BasedJellyfish11 BasedJellyfish11 changed the title Add a toggle to disable FLAG SECURE Add a toggle to allow screenshots through FLAG SECURE Feb 21, 2026
@BasedJellyfish11

Copy link
Copy Markdown
Author

@thestinger do you have any other feedback I should incorporate into the PR?

muhomorr and others added 18 commits March 3, 2026 12:16
Squashed with 0a99fc2 by quh4gko8 <88831734+quh4gko8@users.noreply.github.com>
Package permission state is updated automatically for all packages after events that might impact
it, e.g. after package install or uninstall, after storage volume mount, after OS update etc.

On GrapheneOS, per-package permission policy can be changed via GosPackageState packageFlags.
This new method is needed for updating the cached permission state manually after packageFlags
change.
Squashed with 8320ef5 by
Andrew Gunnerson <accounts+github@chiller3.com>
Notification is not shown if OTHER_SENSORS was explicitly denied by the user.
Apps sometimes misbehave when INTERNET permission is revoked and a job that they scheduled with
a connectivity constraint is executed.
Change-Id: I0b65cac3c3d2fc495b339c34add742bd698b107c
Requires the corresponding changes to system/core and system/sepolicy.
…SELECTED

Treat it same way other storage perms are treated for now.
muhomorr and others added 24 commits March 3, 2026 12:18
If the device is protected with a password and a broken third-party keyboard is used then the device
becomes non-unlockable.
The device might become non-unlockable if it's protected with a password and a broken third-party
keyboard is used. The system keyboard is unconditionally used in safe mode.

There's already an option to reboot to safe mode by pressing and holding the "Restart" button, but
its discoverability is low.
Network location provider is disabled by default on GrapheneOS and is not as accurate as the
GmsCore network location implementation.

Upstream 16 QPR1 change: e149021
Some apps perform a weak security check by looking at the main thread stack trace.
AOSP uses the legacy keyguard slice infrastructure for showing the following info on the lockscreen
and in always-on-display mode:

- current date
- next alarm
- Do Not Disturb status
- current media info (title and artist)

The proprietary SystemUIGoogle on stock Pixel OS uses the modern smartspace infrastructure for
 displaying this info.

The legacy keyguard slice infrastructure isn't being properly maintained upstream. It has numerous
layout and animation issues.

This change adds a smartspace implementation to avoid these issues by reusing the same
infrastructure that is used by SystemUIGoogle.

Original PR: GrapheneOS#317

Co-authored-by: Dmitry Muhomor <muhomor.dmitry@gmail.com>
CVE-Info: CVE-2026-0014 | Severity: High

They should not be considered "system" app for the purposes of
attribution tag vaildation

Bug: 443742082
Test: atest AppOpsMemoryUsageTest
Flag: EXEMPT CVE_FIX
Change-Id: I0c4ac8eaa8966027ad01375dde58b05febec3ffb
(cherry picked from commit 1bc6b14)
CVE-Info: CVE-2026-0015 | Severity: High

Only trusted proxies should be allowed to specify tags. Also prevents
startOperationDryRun from editing the know attribution tags, as the dry
run should change no state.

Bug: 445917646
Test: atest AttributionTest
Flag: EXEMPT CVE_FIX
Change-Id: I14ab1389384fd28009edd9cceceaacdb97fb96e5
(cherry picked from commit 110db0a)
CVE-Info: CVE-2026-0020 | Severity: High

Bug: 453649815
Test: atest AppSecurityTests
Flag: EXEMPT CVE_FIX
Change-Id: I673ad83d05c9825177967e4f0a960e8841610b71
(cherry picked from commit 595cf99)
CVE-Info: CVE-2026-0017 | Severity: High

If the new setting key is not set, we should use the value of the old
ones as the default value.

Bug: 444673089
Test: atest BiometricServiceTest
Flag: EXEMPT BUGFIX
Change-Id: I902c7fd9781037ba05b30821b4fa22aa1509f3fd
(cherry picked from commit a3799e4)
CVE-Info: CVE-2025-48644 | Severity: High

An IME's metadata can reference arbitrarily large strings (e.g.,
@string/large_text), which can lead to OOM or large Binder transactions
during parsing. The previous check only validated the raw XML file
size, failing to account for the size of these resolved string
references.

This patch hardens the InputMethodInfo constructor by enforcing a 200KB
cumulative limit on all resolved metadata attributes. A new
MetadataReadBytesTracker now sums the actual size of all read
attributes, including the full length of any strings, and parsing is
aborted if this 200KB limit is exceeded.

Bug: 449416164
Bug: 449181366
Bug: 449393786
Bug: 449227003
Test: CtsInputMethodTestCases:{InputMethodRegistrationTest,InputMethodInfoTest}
Test: InputMethodCoreTests:{InputMethodSubtypeArrayTest,InputMethodInfoTest}
Flag: EXEMPT BUGFIX
Change-Id: I43f7be8eb80abeb39863a3b01d3a606beb90120c
(cherry picked from commit 7afc13f)
CVE-Info: CVE-2025-48644 | Severity: High

IMM#getEnabledInputMethodSubtypeList() can return a large list of
subtypes, which may cause a TransactionTooLargeException.

This patch introduces InputMethodSubtypeSafeList to wrap the list as a
byte array, avoiding the exception. This mirrors the existing
InputMethodInfoSafeList pattern introduced in [1].

Additionally, this change extracts the common marshalling logic from
InputMethodInfoSafeList into a new AbstractSafeList and refactors both
SafeList classes to extend it.

[1] I0a7667070fcdf17d34b248a5988c38064588718a

DISABLE_TOPIC_PROTECTOR

Bug: 449416164
Bug: 449181366
Bug: 449393786
Bug: 449227003
Test: CtsInputMethodTestCases:{InputMethodRegistrationTest,InputMethodInfoTest}
Test: InputMethodCoreTests
Flag: EXEMPT BUGFIX
Change-Id: Ied64a9f018fd3e79cfc51ccd82d361b43e5f29dc
(cherry picked from commit 1d68a10)
CVE-Info: CVE-2025-48645 | Severity: High

loadDescription was potentially vulnerable to an attack which causes a
DoS exploit by injecting a maliciously large string into the Receiver's
label.

Bug: 443062265
Test: manual
Flag: EXEMPT BUGFIX
Cherrypick-From: https://googleplex-android-review.googlesource.com/q/commit:06a5b2327caa3aa8843496458e98b9bb070df6e5
Merged-In: Icab26c4b77e73f0fcb9a560e3211482ebe2f37bf
Change-Id: Icab26c4b77e73f0fcb9a560e3211482ebe2f37bf
CVE-Info: CVE-2025-48646 | Severity: High

Bug: 457742426
Test: atest ActivityStarterTests
Test: Verified via test app
Flag: EXEMPT CVE_FIX
Cherrypick-From: https://googleplex-android-review.googlesource.com/q/commit:3bb240273822e41f3c6911c60d15983a600308f7
Merged-In: Ic9637c56803b00acc9fca59f8092ed02dd46a4fb
Change-Id: Ic9637c56803b00acc9fca59f8092ed02dd46a4fb
CVE-Info: CVE-2026-0023 | Severity: High

If the flag is not explicitly unset, an app could set this flag, leading
to unexpected behaviour if the install is not actually from a managed
user or profile.

Bug: 459461121
Test: atest PackageManagerShellCommandInstallTest#testSessionCreationWithManagedUserOrProfileFlag_notFromManagedProfile
Flag: EXEMPT BUGFIX
Change-Id: I21bbbf628e97244d469eb23ce0558dbf560b7618
Merged-In: I21bbbf628e97244d469eb23ce0558dbf560b7618
CVE-Info: CVE-2026-0025 | Severity: High

Now with fewer class cast exceptions

Test: ConversationNotification
Test: NotificationManagerServiceTest
Bug: 433746973
Flag: EXEMPT BUGFIX
Change-Id: I3022e010de95f14dcd0d09d123684ee265101e0a
(cherry picked from commit 71d4afa)
CVE-Info: CVE-2025-48654 | Severity: High

Test: manually
Bug: 442392902
Flag: EXEMPT bugfix
Change-Id: I94b96d98608d6702e1d3a9581e135280149bf7e1
…r.notification

CVE-Info: CVE-2026-0034 | Severity: High

Bug: 428701593
Bug: 457836121
Test: All TreeHugger presubmit checks passed.
Flag: EXEMPT FLAG_REMOVAL
OFF_PEAK_PRESUBMIT: true
Cherrypick-From: https://googleplex-android-review.googlesource.com/q/commit:8a8be53d3516586e7e7273f85cece7db9e6bfec1
Merged-In: I13a67db9ccce195b7e7130e20bd2c387996a95c3
Change-Id: I13a67db9ccce195b7e7130e20bd2c387996a95c3
CVE-Info: CVE-2026-0011 | Severity: High

When a system app is re-enabled after the update is uninstalled, when
the system app has shared uid, the current code doesn't support
directly reusing the disabled package setting. Instead, the preloaded
version is re-scanned and installed as a new app, which can bring
breaking behavior of changed UIDs when the manifest has
sharedUserMaxSdkVersion.

This change fixes the bug where registerExistingAppId fails when it
comes to shared uid, therefore directly reuses the disabled package
setting, consistent with the behavior for non-shared-uid system apps.

FLAG: EXEMPT BUGFIX
Test: manually with system-app-test.sh
BUG: 454062218

Change-Id: I9187ee77bac2a00d679a1a3cc7de2df564f38684
Merged-In: I9187ee77bac2a00d679a1a3cc7de2df564f38684

(cherry picked from commit 6b5ea2f)

Change-Id: I417cec27697a210416027e862a5e5d207d268b82
CVE-Info: CVE-2026-0047 | Severity: Critical

The previous implementation did not check for permission and
debuggability for `am dumpbitmaps`, which allows a malicious
app to access bitmaps in memory of other processes.

Detailed vulnerability and how a malicious app could make use
of it are documented in b/465136263.

This CL enforces both permission check (with the same permission
as `am dumpheap`) and debuggability.

Bug: 465136263
Bug: 475543853
Flag: EXEMPT BUGFIX
Cherrypick-From: https://googleplex-android-review.googlesource.com/q/commit:93b72e5a84815c09d5eac89fe8f974a44002c629
Merged-In: I10836ce46969f50d837f7f8bf6336f977e830f05
Change-Id: I10836ce46969f50d837f7f8bf6336f977e830f05
See: b/465136263#comment27
@BasedJellyfish11

Copy link
Copy Markdown
Author

Rebased this one too after the heads up in the settings one

@mio-19

mio-19 commented Jul 12, 2026

Copy link
Copy Markdown

please change the target branch to 17

@thestinger
thestinger changed the base branch from 16-qpr2 to 17 July 12, 2026 21:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.