Screen Capture protection

Author: Ahmad-Ayman

android/build.gradle

@@ -90,7 +90,7 @@ dependencies {
   implementation "com.facebook.react:react-native:$react_native_version"
   implementation "org.jetbrains.kotlin:kotlin-stdlib:$kotlin_version"
   implementation "org.jetbrains.kotlinx:kotlinx-serialization-json:1.4.1"
-  implementation "com.aheaditec.talsec.security:TalsecSecurity-Community-ReactNative:13.2.0"
+  implementation "com.aheaditec.talsec.security:TalsecSecurity-Community-ReactNative:14.0.1"
 }
 
 if (isNewArchitectureEnabled()) {

android/gradle.properties

@@ -1,6 +1,6 @@
 FreeraspReactNative_kotlinVersion=1.7.0
 FreeraspReactNative_minSdkVersion=23
-FreeraspReactNative_targetSdkVersion=31
-FreeraspReactNative_compileSdkVersion=33
+FreeraspReactNative_targetSdkVersion=35
+FreeraspReactNative_compileSdkVersion=35
 FreeraspReactNative_ndkversion=21.4.7075529
 FreeraspReactNative_reactNativeVersion=+

android/src/main/java/com/freeraspreactnative/FreeraspReactNativeModule.kt

@@ -1,5 +1,6 @@
 package com.freeraspreactnative
 
+import android.os.Build
 import android.os.Handler
 import android.os.HandlerThread
 import android.os.Looper
@@ -24,18 +25,23 @@ import com.freeraspreactnative.utils.getMapThrowing
 import com.freeraspreactnative.utils.getNestedArraySafe
 import com.freeraspreactnative.utils.getStringThrowing
 import com.freeraspreactnative.utils.toEncodedWritableArray
+import com.freeraspreactnative.ScreenProtector
 
 class FreeraspReactNativeModule(private val reactContext: ReactApplicationContext) :
   ReactContextBaseJavaModule(reactContext) {
 
   private val listener = ThreatListener(FreeraspThreatHandler, FreeraspThreatHandler)
   private val lifecycleListener = object : LifecycleEventListener {
     override fun onHostResume() {
-      // do nothing
+      if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
+        currentActivity?.let { ScreenProtector.register(it) }
+      }
     }
 
     override fun onHostPause() {
-      // do nothing
+      if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
+        currentActivity?.let { ScreenProtector.unregister(it) }
+      }
     }
 
     override fun onHostDestroy() {
@@ -54,8 +60,7 @@ class FreeraspReactNativeModule(private val reactContext: ReactApplicationContex
 
   @ReactMethod
   fun talsecStart(
-    options: ReadableMap,
-    promise: Promise
+    options: ReadableMap, promise: Promise
   ) {
 
     try {
@@ -64,6 +69,12 @@ class FreeraspReactNativeModule(private val reactContext: ReactApplicationContex
       listener.registerListener(reactContext)
       runOnUiThread {
         Talsec.start(reactContext, config)
+        // Ensure ScreenProtector is registered AFTER Talsec starts
+        currentActivity?.let { activity ->
+          if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
+            ScreenProtector.register(activity)
+          }
+        }
       }
 
       promise.resolve("freeRASP started")
@@ -136,6 +147,43 @@ class FreeraspReactNativeModule(private val reactContext: ReactApplicationContex
     }
   }
 
+  /**
+   * Method Block/Unblock screen capture
+   * @param enable boolean for whether want to block or unblock the screen capture
+   */
+  @ReactMethod
+  fun blockScreenCapture(enable: Boolean, promise: Promise) {
+    val activity = currentActivity ?: run {
+      promise.reject(
+        "NativePluginError", "Cannot block screen capture, activity is null."
+      )
+      return
+    }
+
+    runOnUiThread {
+      try {
+        Talsec.blockScreenCapture(activity, enable)
+        promise.resolve("Screen capture is now ${if (enable) "Blocked" else "Enabled"}.")
+      } catch (e: Exception) {
+        promise.reject("NativePluginError", "Error in blockScreenCapture: ${e.message}")
+      }
+    }
+  }
+
+  /**
+   * Method Returns whether screen capture is blocked or not
+   * @return boolean for is screem capture blocked or not
+   */
+  @ReactMethod
+  fun isScreenCaptureBlocked(promise: Promise) {
+    try {
+      val isBlocked = Talsec.isScreenCaptureBlocked()
+      promise.resolve(isBlocked)
+    } catch (e: Exception) {
+      promise.reject("NativePluginError", "Error in isScreenCaptureBlocked: ${e.message}")
+    }
+  }
+
   private fun buildTalsecConfig(config: ReadableMap): TalsecConfig {
     val androidConfig = config.getMapThrowing("androidConfig")
     val packageName = androidConfig.getStringThrowing("packageName")
@@ -170,13 +218,14 @@ class FreeraspReactNativeModule(private val reactContext: ReactApplicationContex
     private val backgroundHandler = Handler(backgroundHandlerThread.looper)
     private val mainHandler = Handler(Looper.getMainLooper())
 
+    internal var talsecStarted = false
+
     private lateinit var appReactContext: ReactApplicationContext
 
     private fun notifyListeners(threat: Threat) {
       val params = Arguments.createMap()
       params.putInt(THREAT_CHANNEL_KEY, threat.value)
-      appReactContext
-        .getJSModule(DeviceEventManagerModule.RCTDeviceEventEmitter::class.java)
+      appReactContext.getJSModule(DeviceEventManagerModule.RCTDeviceEventEmitter::class.java)
         .emit(THREAT_CHANNEL_NAME, params)
     }
 
@@ -196,8 +245,7 @@ class FreeraspReactNativeModule(private val reactContext: ReactApplicationContex
             MALWARE_CHANNEL_KEY, encodedSuspiciousApps
           )
 
-          appReactContext
-            .getJSModule(DeviceEventManagerModule.RCTDeviceEventEmitter::class.java)
+          appReactContext.getJSModule(DeviceEventManagerModule.RCTDeviceEventEmitter::class.java)
             .emit(THREAT_CHANNEL_NAME, params)
         }
       }

android/src/main/java/com/freeraspreactnative/FreeraspThreatHandler.kt

@@ -63,6 +63,14 @@ internal object FreeraspThreatHandler : ThreatListener.ThreatDetected, ThreatLis
     listener?.threatDetected(Threat.SystemVPN)
   }
 
+  override fun onScreenshotDetected() {
+    listener?.threatDetected(Threat.Screenshot)
+  }
+
+  override fun onScreenRecordingDetected() {
+    listener?.threatDetected(Threat.ScreenRecording)
+  }
+
   internal interface TalsecReactNative {
     fun threatDetected(threatType: Threat)
 

android/src/main/java/com/freeraspreactnative/ScreenProtector.kt

@@ -0,0 +1,162 @@
+package com.freeraspreactnative
+
+import android.annotation.SuppressLint
+import android.annotation.TargetApi
+import android.app.Activity
+import android.app.Activity.ScreenCaptureCallback
+import android.content.Context
+import android.content.pm.PackageManager
+import android.os.Build
+import android.util.Log
+import android.view.WindowManager.SCREEN_RECORDING_STATE_VISIBLE
+import androidx.annotation.RequiresApi
+import androidx.core.content.ContextCompat
+
+import com.aheaditec.talsec_security.security.api.Talsec
+import java.util.function.Consumer
+
+@RequiresApi(Build.VERSION_CODES.UPSIDE_DOWN_CAKE)
+internal object ScreenProtector {
+  private const val TAG = "TalsecScreenProtector"
+  private const val SCREEN_CAPTURE_PERMISSION = "android.permission.DETECT_SCREEN_CAPTURE"
+  private const val SCREEN_RECORDING_PERMISSION = "android.permission.DETECT_SCREEN_RECORDING"
+
+  private val screenCaptureCallback = ScreenCaptureCallback { Talsec.onScreenshotDetected() }
+  private val screenRecordCallback: Consumer<Int> = Consumer<Int> { state ->
+    if (state == SCREEN_RECORDING_STATE_VISIBLE) {
+      Talsec.onScreenRecordingDetected()
+    }
+  }
+
+  /**
+   * Registers screenshot and screen recording detector with the given activity
+   *
+   * **IMPORTANT**: android.permission.DETECT_SCREEN_CAPTURE and
+   * android.permission.DETECT_SCREEN_RECORDING must be
+   * granted for the app in the AndroidManifest.xml
+   */
+  internal fun register(activity: Activity) {
+    if (!FreeraspReactNativeModule.talsecStarted) {
+      return
+    }
+
+    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
+      registerScreenCapture(activity)
+    }
+
+    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.VANILLA_ICE_CREAM) {
+      registerScreenRecording(activity)
+    }
+  }
+
+  /**
+   * Register Talsec Screen Capture (screenshot) Detector for given activity instance.
+   * The MainActivity of the app is registered by the plugin itself, other
+   * activities bust be registered manually as described in the integration guide.
+   *
+   * Missing permission is suppressed because the decision to use the screen
+   * capture API is made by developer, and not enforced by the library.
+   *
+   * **IMPORTANT**: android.permission.DETECT_SCREEN_CAPTURE (API 34+) must be
+   * granted for the app in the AndroidManifest.xml
+   */
+  @RequiresApi(Build.VERSION_CODES.UPSIDE_DOWN_CAKE)
+  @SuppressLint("MissingPermission")
+  private fun registerScreenCapture(activity: Activity) {
+    val context = activity.applicationContext
+    if (!hasPermission(context, SCREEN_CAPTURE_PERMISSION)) {
+      reportMissingPermission("screenshot", SCREEN_CAPTURE_PERMISSION)
+      return
+    }
+
+    activity.registerScreenCaptureCallback(context.mainExecutor, screenCaptureCallback)
+  }
+
+  /**
+   * Register Talsec Screen Recording Detector for given activity instance.
+   * The MainActivity of the app is registered by the plugin itself, other
+   * activities bust be registered manually as described in the integration guide.
+   *
+   * Missing permission is suppressed because the decision to use the screen
+   * capture API is made by developer, and not enforced by the library.
+   *
+   * **IMPORTANT**: android.permission.DETECT_SCREEN_RECORDING (API 35+) must be
+   * granted for the app in the AndroidManifest.xml
+   */
+  @SuppressLint("MissingPermission")
+  @RequiresApi(Build.VERSION_CODES.VANILLA_ICE_CREAM)
+  private fun registerScreenRecording(activity: Activity) {
+    val context = activity.applicationContext
+    if (!hasPermission(context, SCREEN_RECORDING_PERMISSION)) {
+      reportMissingPermission("screen record", SCREEN_RECORDING_PERMISSION)
+      return
+    }
+
+    val initialState = activity.windowManager.addScreenRecordingCallback(
+      context.mainExecutor, screenRecordCallback
+    )
+    screenRecordCallback.accept(initialState)
+
+  }
+
+  /**
+   * Unregisters screenshot and screen recording detector with the given activity
+   *
+   * **IMPORTANT**: android.permission.DETECT_SCREEN_CAPTURE and
+   * android.permission.DETECT_SCREEN_RECORDING must be
+   * granted for the app in the AndroidManifest.xml
+   */
+  @SuppressLint("MissingPermission")
+  @RequiresApi(Build.VERSION_CODES.UPSIDE_DOWN_CAKE)
+  internal fun unregister(activity: Activity) {
+    if (!FreeraspReactNativeModule.talsecStarted) {
+      return
+    }
+
+    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
+      unregisterScreenCapture(activity)
+    }
+
+    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.VANILLA_ICE_CREAM) {
+      unregisterScreenRecording(activity)
+    }
+  }
+
+  // Missing permission is suppressed because the decision to use the screen capture API is made
+  // by developer, and not enforced by the library.
+  @SuppressLint("MissingPermission")
+  @RequiresApi(Build.VERSION_CODES.UPSIDE_DOWN_CAKE)
+  private fun unregisterScreenCapture(activity: Activity) {
+    val context = activity.applicationContext
+    if (!hasPermission(context, SCREEN_CAPTURE_PERMISSION)) {
+      return
+    }
+    activity.unregisterScreenCaptureCallback(screenCaptureCallback)
+  }
+
+  // Missing permission is suppressed because the decision to use the screen capture API is made
+  // by developer, and not enforced by the library.
+  @SuppressLint("MissingPermission")
+  @RequiresApi(Build.VERSION_CODES.VANILLA_ICE_CREAM)
+  private fun unregisterScreenRecording(activity: Activity) {
+    val context = activity.applicationContext
+    if (!hasPermission(context, SCREEN_RECORDING_PERMISSION)) {
+      return
+    }
+
+    activity.windowManager?.removeScreenRecordingCallback(screenRecordCallback)
+  }
+
+  private fun hasPermission(context: Context, permission: String): Boolean {
+    return ContextCompat.checkSelfPermission(
+      context, permission
+    ) == PackageManager.PERMISSION_GRANTED
+  }
+
+  private fun reportMissingPermission(protectionType: String, permission: String) {
+    Log.e(
+      TAG,
+      "Failed to register $protectionType callback. Check if $permission permission is granted in AndroidManifest.xml"
+    )
+  }
+}

android/src/main/java/com/freeraspreactnative/Threat.kt

@@ -25,6 +25,8 @@ internal sealed class Threat(val value: Int) {
   object DevMode : Threat((10000..999999999).random())
   object Malware : Threat((10000..999999999).random())
   object ADBEnabled : Threat((10000..999999999).random())
+  object Screenshot : Threat((10000..999999999).random())
+  object ScreenRecording : Threat((10000..999999999).random())
 
   companion object {
     internal fun getThreatValues(): WritableArray {
@@ -43,7 +45,9 @@ internal sealed class Threat(val value: Int) {
           ObfuscationIssues.value,
           DevMode.value,
           Malware.value,
-          ADBEnabled.value
+          ADBEnabled.value,
+          Screenshot.value,
+          ScreenRecording.value
         )
       )
     }

example/src/App.tsx

@@ -188,6 +188,24 @@ const App = () => {
         )
       );
     },
+    // Android only
+    screenshot: () => {
+      setAppChecks((currentState) =>
+        currentState.map((threat) =>
+          threat.name === 'Screenshot' ? { ...threat, status: 'nok' } : threat
+        )
+      );
+    },
+    // Android only
+    screenRecording: () => {
+      setAppChecks((currentState) =>
+        currentState.map((threat) =>
+          threat.name === 'Screen Recording'
+            ? { ...threat, status: 'nok' }
+            : threat
+        )
+      );
+    },
   };
 
   const addItemsToMalwareWhitelist = async () => {