default title

friend! Sit still, today we will use a story from the "Magic Kingdom" to reveal how Android Windows can cast the magic of "FLAG_SECURE". In this story, code is a spell, and system components are the wizards and guards in the kingdom.

Story Character Introduction:

1. You (App Developer): A young wizard apprentice who wants to protect the secrets in his app window, such as bank transactions and private chats.

2. Your Magic Window: The canvas on which you cast magic (displaying content). Each activity or dialog has a block.

3. Window Manager: The overall dispatcher of the kingdom. Responsible for arranging which window to display where, how large, and at what level. It has a magic manual (WindowManager. Layout Params) that records the properties of each window.

4. ViewRootImpl: The core mage for each window. It connects your window content (View Hierarchy) with the underlying drawing system. It is responsible for translating magic (UI changes) into underlying instructions.

5. Surface Flinger: The ultimate synthesizer of the kingdom. It controls the "magic projection" (Surface) of all windows, responsible for synthesizing the projections of all windows and displaying them on the large crystal screen. It is the key guard to prevent screenshots!

6. ScreenshotHelper/SurfaceControl: A wizard responsible for executing system screenshot commands, which will request the magic projection snapshot of the current screen from the Barrier Crystal.

7. Physical Camera: A bystander who is not controlled by magic barriers can take photos in a physical way (so FLAG_SECURE cannot prevent physical photography).

The story begins:

Chapter 1: Apprentice's Concerns and Magic Markings

You, a young wizard apprentice, have developed a banking app. Its main window (Activity) displays the user's account balance and transaction records. You are worried: 'What if someone secretly uses the' System Screenshot 'to capture this window?'? The user's secret has been leaked! ”

You need to apply a 'screen capture barrier' to your bank window. How to do it? You open the magic manual of WindowManager (WindowManager. Layout Params) and find a powerful magic marker: getWindow().addFlags(WindowManager.LayoutParams.FLAG_SECURE);

Chapter 2: Tag Transfer and Window Manager Records

When you recite the FLAG_SECURE spell:

The spell is applied to the Window object representing your window (usually obtained through Activity. getWindow()).

The Window object writes this key FLAG_SECURE tag into its own property manual (WindowManager. LayoutParams).

When your window needs to be displayed (or when its properties change), WindowManager will receive an update. The butler has specially marked the records for your window in their general register as FLAG_SECURE.

Chapter 3: Translation by the Grand Master and Instructions from the Barrier Crystal

Now, your window content needs to be drawn onto the screen. ViewRootImpl starts working:

ViewRootImpl is responsible for coordinating the measurement, layout, and drawing of your window content (View tree).

More importantly, it is responsible for communicating with the underlying 'Surface Flinger'. For this purpose, it creates or manages a core object representing your window's "magic projection source" - SurfaceControl.

When creating or updating SurfaceControl, ViewRootImpl will check the properties of your window in the WindowManager registry. It saw the prominent FLAG_SECURE tag!

The Grand Master immediately realized, 'This window needs protection!' So, when sending instructions to the SurfaceFlinger on how to create and manage the 'Magic Projection Source' (Surface) for this window, he specifically set the FLAG_SECURE tag in the SurfaceControl property.

Key code snippets (simplified illustration, in the internal logic of ViewRootImpl):

Chapter 4: Guarding the Barrier Crystal and Screenshots of the Wizard's Failure

Now, the core defense has shifted to the "Surface Flinger" here:

SurfaceFlinger manages the Surface (magic projection source) of all windows. It knows which surfaces have the SECURE logo.

When the user presses the screenshot shortcut key (volume down+power), the "ScreenshotHelper" is awakened.

The screenshot wizard sent a request to SurfaceFlinger: "Boundary Crystal, please give me the final snapshot of the magic projection synthesis of all visible windows on the current screen

SurfaceFlinger starts working:

It traverses all visible and participating windows Surface currently.

When it encounters a Surface marked as SECURE (such as your bank window), it knows that the contents of this window are protected!

Key decision point: SurfaceFlinger will not include the content of this SECURE window in the final screenshot it is preparing to generate!

In the end, SurfaceFlinger returned the snapshot image to the screenshot wizard:

Your bank app window area has turned black out or displayed as a solid color background (specific behavior may vary slightly depending on the Android version or OEM customization).

Other non SECURE windows (such as notification bar, background desktop) are displayed normally.

ScreenshotHelper holds this image that has been processed with barrier crystals and lacks key content, and saves it. When the user saw the screenshot, they noticed that the bank window had mysteriously disappeared, leaving only a black block. Your secret has been successfully protected!

Chapter 5: Physical Camera - Blind Spot of Boundaries

There is another character in the story: the physical camera. It does not belong to the Surface Flinger of the Magic Kingdom (Android system). It directly captures light from the real world.

If someone uses another phone to take a photo of your bank app window, the FLAG_SECURE barrier is completely powerless against it. Because it protects the internal screenshot mechanism of the system, it cannot prevent the recording behavior of the physical world.

So, for extremely sensitive information (such as password input), apps also need additional means, such as directly masking password characters (EditText's inputType="textPassword") during input, which cannot be seen even if physically captured.

Summary and key points:

Your spell (FLAG_SECURE): You set the FLAG_SECURE tag on the window.

Housekeeper's Record (WindowManager): WindowManager records that this window needs to be protected.

Translation by the Grand Master (ViewRootImpl): ViewRootImpl passes the SECURE flag to the SurfaceControl that represents the underlying drawing of the window when creating/managing it.

Guardian of Boundary Crystals (SurfaceFlinger): When the system requests a screenshot, SurfaceFlinger checks all Surface logos. When encountering a Surface marked with SECURE, it skips or replaces its content with black/solid color, which is not included in the final screenshot. This is the core magic of preventing screenshots!

Physical photography is a blind spot: FLAG_SECURE can only defend against the internal screenshot mechanism of the system, and cannot defend against external device photography.

Why do we say 'prevent'?

Because FLAG_SECURE does not make the window "invisible" or "unpatchable". It was only during the screenshot process that the underlying synthesizer (SurfaceFlinger) actively filtered out the content of the protected window. The screenshot result is incomplete, thus achieving the effect of "preventing sensitive content from appearing in the screenshot".