Wickr offers a suite of applications which provide secure instant messaging, voice and audio calls. The Android version of Wickr Me Messenger allowed screenshots to be taken by other apps on the device because FLAG_SECURE option wasn’t used.
To replicate, try the following:
- Open the application.
- Press Power + Volume Down at any sensitive screen and observe a screenshot being taken.
The underlying reason is because the app is not using “FLAG_SECURE” for such screens (more information on FLAG_SECURE can be found in our earlier blog post). By contrast, many Android apps with higher security requirements use it.
Vendor Response and Mitigation
This issue was reported in May 2016 against version 220.127.116.11, and was fixed in September 2018 in version 4.55.1. A bounty has been paid.