Release v1.8.87 — FLAG_SECURE on encrypted-dictionary passphrase dialog

DictionaryPassphraseDialog hosts both encrypted-export (with
confirmation) and encrypted-import passphrase entry for the personal
dictionary. While composed, the dialog now:

- Sets WindowManager.FLAG_SECURE on the host activity window via a
  DisposableEffect keyed on the host view; clears the flag on dispose.
  Without this, screen recordings / external-display mirroring / the
  system screenshot gesture captured the typed passphrase even with
  PasswordVisualTransformation in place (the password transformation
  only masks the rendered glyph, not the surface layer).
- Stores `passphrase` / `passphraseConfirmation` in plain `remember`
  instead of `rememberSaveable`. The latter round-trips through
  Android's savedInstanceState bundle, which is recoverable via
  am dumpstate / crash reports and is the wrong storage class for a
  passphrase.

Follow-up #2 from the v1.8.85 audit.

Author: SysAdminDoc

RELEASE_NOTES_v1.8.87.md

@@ -0,0 +1,67 @@
+# Release v1.8.87 — FLAG_SECURE on the encrypted-dictionary passphrase dialog
+
+Date: 2026-05-17
+
+Follow-up #2 from the v1.8.85 audit pass.
+
+## What changed
+
+[app/src/main/kotlin/dev/patrickgold/florisboard/app/settings/dictionary/UserDictionaryScreen.kt](app/src/main/kotlin/dev/patrickgold/florisboard/app/settings/dictionary/UserDictionaryScreen.kt#L742-L780)
+— the `DictionaryPassphraseDialog` is the input surface for both
+encrypted-export and encrypted-import of the personal dictionary (the
+ROADMAP §6 N7.4 encrypted-blob round-trip that shipped in v1.8.54 /
+v1.8.65). Two defects:
+
+1. **No `FLAG_SECURE` on the host window.** The host
+   `FlorisAppActivity` does not set `FLAG_SECURE` for its window globally
+   (and shouldn't — the rest of Settings is screen-recordable for support /
+   bug-report screenshots). While the passphrase dialog was up, screen
+   recordings, external-display mirroring, and the system screenshot
+   gesture could all capture the typed passphrase. The
+   `PasswordVisualTransformation` only masks the rendered glyph; the
+   passphrase characters are still in the surface layer.
+2. **Passphrase stored via `rememberSaveable`.** `rememberSaveable` round-
+   trips state through Android's `savedInstanceState` bundle, which is
+   recoverable via `am dumpstate`, crash reports, and the platform's
+   restore-after-process-death path. Passphrase state must not be
+   serialised.
+
+This release:
+
+- Adds a `DisposableEffect` keyed on the host view that sets
+  `WindowManager.LayoutParams.FLAG_SECURE` on entry and clears it on
+  dispose. The flag is set only while the passphrase dialog is composed,
+  so the rest of Settings remains screen-recordable. Both the export
+  (with confirmation) and import (without confirmation) flows use the
+  same dialog, so both are covered.
+- Switches `passphrase` and `passphraseConfirmation` from
+  `rememberSaveable` to plain `remember`. The dialog already re-prompts
+  on every show (because it's only composed when the visibility flag is
+  true), so losing in-flight passphrase state across configuration changes
+  is the correct behaviour, not a regression.
+
+## Files touched
+
+- `app/src/main/kotlin/dev/patrickgold/florisboard/app/settings/dictionary/UserDictionaryScreen.kt`
+- `gradle.properties` — versionCode 1887 / versionName 1.8.87
+
+## Verification
+
+```powershell
+./gradlew.bat :app:testDebugUnitTest
+./gradlew.bat :app:lintDebug
+./gradlew.bat :app:assembleDebug
+./gradlew.bat :app:installDebug
+```
+
+Manual QA:
+- Open Settings → User Dictionary → encrypted export. Verify the
+  passphrase dialog appears. Trigger a system screen recording (or
+  external-display mirror). Verify the recording shows a black surface
+  for the dialog area (FLAG_SECURE), not the typed passphrase. Cancel
+  the dialog and screenshot Settings — that should still work normally
+  (FLAG_SECURE cleared on dispose).
+- Open the same dialog, type a partial passphrase, rotate the device.
+  Verify the field is empty after rotation (was: it survived rotation
+  via the savedInstanceState bundle).
+- Repeat for the encrypted-import flow.

app/src/main/kotlin/dev/patrickgold/florisboard/app/settings/dictionary/UserDictionaryScreen.kt

@@ -44,6 +44,7 @@ import androidx.compose.material3.OutlinedTextField
 import androidx.compose.material3.Text
 import androidx.compose.material3.TextButton
 import androidx.compose.runtime.Composable
+import androidx.compose.runtime.DisposableEffect
 import androidx.compose.runtime.LaunchedEffect
 import androidx.compose.runtime.getValue
 import androidx.compose.runtime.mutableStateOf
@@ -53,10 +54,13 @@ import androidx.compose.runtime.saveable.rememberSaveable
 import androidx.compose.runtime.setValue
 import androidx.compose.ui.Modifier
 import androidx.compose.ui.platform.LocalContext
+import androidx.compose.ui.platform.LocalView
 import androidx.compose.ui.text.input.ImeAction
 import androidx.compose.ui.text.input.KeyboardType
 import androidx.compose.ui.text.input.PasswordVisualTransformation
 import androidx.compose.ui.unit.dp
+import android.app.Activity
+import android.view.WindowManager
 import dev.patrickgold.florisboard.R
 import dev.patrickgold.florisboard.app.LocalNavController
 import dev.patrickgold.florisboard.app.settings.theme.DialogProperty
@@ -747,8 +751,29 @@ private fun DictionaryPassphraseDialog(
     onDismiss: () -> Unit,
     onConfirm: (String) -> Unit,
 ) {
-    var passphrase by rememberSaveable { mutableStateOf("") }
-    var passphraseConfirmation by rememberSaveable { mutableStateOf("") }
+    // While this dialog is on-screen, mark the host activity window as
+    // FLAG_SECURE so screen recordings / screenshots / external-display
+    // mirroring cannot capture the passphrase the user is typing. The
+    // PasswordVisualTransformation only masks the rendered dot/bullet —
+    // without FLAG_SECURE the typed characters are still in the surface
+    // layer that a screen recorder captures. Cleared on dispose.
+    val view = LocalView.current
+    DisposableEffect(view) {
+        val window = (view.context as? Activity)?.window
+        window?.setFlags(
+            WindowManager.LayoutParams.FLAG_SECURE,
+            WindowManager.LayoutParams.FLAG_SECURE,
+        )
+        onDispose {
+            window?.clearFlags(WindowManager.LayoutParams.FLAG_SECURE)
+        }
+    }
+    // Use plain `remember` (not `rememberSaveable`) so the passphrase does
+    // NOT survive process death / configuration change via the savedInstance
+    // state bundle. A passphrase in a savedInstanceState bundle is
+    // recoverable via `am dumpstate` and the like.
+    var passphrase by remember { mutableStateOf("") }
+    var passphraseConfirmation by remember { mutableStateOf("") }
     val mismatch = requireConfirmation &&
         passphraseConfirmation.isNotEmpty() &&
         passphrase != passphraseConfirmation

gradle.properties

@@ -15,5 +15,5 @@ projectMinSdk=26
 projectTargetSdk=36
 projectCompileSdk=36
 
-projectVersionCode=1886
-projectVersionName=1.8.86
+projectVersionCode=1887
+projectVersionName=1.8.87