FLAG_SECURE and Android O Autofill

Android O’s autofill feature offers some interesting potential. However, as with Android 6.0’s Assist API (the power behind Now-on-Tap/Assistant) and accessibility services, we are granting third-party apps the ability to examine the contents of our UI. That may be fine for many apps and many users, but not for all apps and all users. I expect that Google Play ecosystem devices running Android O will ship with an autofill service automatically enabled, just as such devices ship with the Assistant enabled. And so developers of secure apps, or targeting at-risk users, need to think through how to protect some or all of their UI from being snooped on by autofill services, since everybody most likely will have such a service enabled “out of the box”.

FLAG_SECURE is a typical thing to turn to here, despite its limitations. After all, FLAG_SECURE does block information from being delivered to the Assist API… or at least it used to (I have not tested it recently).

However, FLAG_SECURE has no impact on autofill services, which can read and modify secure activities with impunity. Officially, this is working as intended. That link is to the security issue that I filed; perhaps one day it will be opened up for you to be able to read it.

So, secure apps need to not only use FLAG_SECURE but also take other steps to block autofill services from gaining access to the UI.

At the moment, this NoAssistFrameLayout works. Wrap that around the secure UI elements, and the autofill service will not have access to them, based on my testing to date. This also blocks the Assist API’s access to those UI elements, which is where this technique originated.

Nervous about how the newest version of Android affects your app? Consider subscribing, then asking questions in the office hours chats!

— Apr 25, 2017