FLAG_SECURE and Android O Autofill
Android O’s autofill feature offers some interesting potential. However, as with Android 6.0’s Assist API (the power behind Now-on-Tap/Assistant) and accessibility services, we are granting third-party apps the ability to examine the contents of our UI. That may be fine for many apps and many users, but not for all apps and all users. I expect that Google Play ecosystem devices running Android O will ship with an autofill service automatically enabled, just as such devices ship with the Assistant enabled. And so developers of secure apps, or targeting at-risk users, need to think through how to protect some or all of their UI from being snooped on by autofill services, since everybody most likely will have such a service enabled “out of the box”.
FLAG_SECURE is a typical thing to turn to here, despite
FLAG_SECURE does block information from being delivered to the
Assist API… or at least it used to (I have not tested it recently).
FLAG_SECURE has no impact on autofill services, which can read
and modify secure activities with impunity. Officially, this is
working as intended. That link
is to the security issue that I filed; perhaps one day it will be opened up for
you to be able to read it.
So, secure apps need to not only use
FLAG_SECURE but also take other steps
to block autofill services from gaining access to the UI.
At the moment, this
Wrap that around the secure UI elements, and the autofill service will not
have access to them, based on my testing to date. This also blocks
the Assist API’s access to those UI elements, which is
where this technique originated.
Nervous about how the newest version of Android affects your app? Consider subscribing, then asking questions in the office hours chats!