Protect your app and fight abuse with security flags FLAG_SECURE and REQUIRE_SECURE_ENV

As a Google Play developer, you play a critical role in ensuring the safety and security of your app and its users. With the rise of social engineering abuse campaigns, particularly targeting vulnerable populations, it's more important than ever to take proactive measures to protect your users and the integrity of your app.

This article provides an overview of two helpful Android and Play security flags that can enhance your app's security: FLAG_SECURE and REQUIRE_SECURE_ENV. By understanding and effectively utilizing these flags, you can help combat targeted abuse and further safeguard your app's ecosystem.

FLAG_SECURE

FLAG_SECURE signals that your app is intended to run in a more secure environment, mitigating potential vulnerabilities, monitoring, and attacks. It is a display flag declared in an app’s code to indicate that its UI contains sensitive data intended to be limited to a secure surface while using the app, signaling to other apps and services that the data should not appear in screenshots or be viewed on non-secure displays. Developers declare this flag when the app’s content should not be broadcast, viewed, or otherwise transmitted outside of the app or users’ device. For example, if a screen in your app contains sensitive data that might present a security risk if viewed by a third-party such as a remote support app, FLAG_SECURE is one way to declare that sensitivity and help provide a secure environment.  For security and privacy purposes, all apps distributed on Google Play are required to respect FLAG_SECURE — which entails not facilitating or creating workarounds to bypass the flag settings in other apps.

REQUIRE_SECURE_ENV

Social engineering attacks are particularly concerning for the elder population and other vulnerable groups who may be more susceptible to manipulation and deception. These attacks often involve tricking users into revealing sensitive information, such as passwords or financial details, or downloading malicious content.

By implementing the FLAG_SECURE and REQUIRE_SECURE_ENV flags, you can help mitigate social engineering attacks within your app. Used independently or simultaneously, these flags help protect against vulnerabilities that attackers often exploit to gain access to personal and sensitive user data or devices.

Protecting elder users and vulnerable populations from social engineering abuse

Social engineering attacks are particularly concerning for the elder population and other vulnerable groups who may be more susceptible to manipulation and deception. These attacks often involve tricking users into revealing sensitive information, such as passwords or financial details, or downloading malicious content.

By implementing the FLAG_SECURE and REQUIRE_SECURE_ENV flags, you can help mitigate social engineering attacks within your app. Used independently or simultaneously, these flags help protect against vulnerabilities that attackers often exploit to gain access to personal and sensitive user data or devices.

Additional protective measures

In addition to utilizing security flags, consider incorporating these additional measures to help protect your users from social engineering abuse:

  • Educate users about social engineering tactics: Provide clear and concise warnings within your app about common social engineering techniques, such as phishing scams and fake support calls.
  • Implement secure authentication mechanisms: Employ robust authentication methods, such as two-factor authentication, to prevent unauthorized access to user accounts.
  • Regularly update your app: Keep your app up-to-date with the latest security patches and bug fixes to address any potential vulnerabilities that could be exploited by attackers.

Collaboration and ongoing education

Fighting abuse and protecting users is an ongoing process that requires collaboration among developers, Google Play, and the broader security community. Stay informed about security best practices by reading our Safety & Security blog.

By working together, we can create a more secure and trustworthy Android ecosystem for all users.

Frequently asked questions

Click on a question below to expand or collapse it.

Will utilizing these flags alter my apps negatively? How long will the implementation take?

These apps are designed to enhance security and privacy, not hinder performance. However, if your app features heavily rely on sharing screenshots or screen recordings, setting FLAG_SECURE may prevent users from capturing those visuals on those specific pages. It’s important to balance security needs with user experience in this case. Also, some third-party app customizations or extensions might rely on screen capturing methods that could be affected by these flags. If your app integrates with such tools, it’s worth testing for compatibility.

The implementation process is generally fast and straightforward. It typically involves adding a few lines of code to the relevant pages or activities where you want to apply the flags. The exact time depends on the complexity of your app and the number of pages involved.

What is the difference between FLAG_SECURE and REQUIRE_SECURE_ENV flags?

FLAG_SECURE is a window level flag that when set indicates to treat the content of the window as secure, preventing it from appearing in screenshots or from being viewed on non-secure displays, while REQUIRE_SECURE_ENV signals to other apps that your app must run in a secure environment. Both FLAG_SECURE and REQUIRE_SECURE_ENV are security flags that can be used to protect Android apps/users from abuse and attacks.

What is an example of how FLAG_SECURE works as intended?

When a banking app uses FLAG_SECURE on its login screen, it creates a special window that protects sensitive information like the user's login credentials. As a general rule, this protection helps to prevent the window's content from being displayed on non-secure screens or captured in screenshots, recordings, or remote viewing attempts. So, instead of seeing a user’s login details, you might just see a blank area on those types of displays.

Which types of apps could use the FLAG_SECURE and REQUIRE_SECURE_ENV flags?

Some examples of apps that may use these flags are apps that handle personal and sensitive user data, such as financial information. Banking apps are some examples of apps that commonly use FLAG_SECURE. Apps that are particularly vulnerable to abuse, such as apps that target the elder or vulnerable populations, should also consider using the REQUIRE_SECURE_ENV flag.

Will utilizing these flags alter my apps negatively? How long will the implementation take?

To implement the FLAG_SECURE flag, add the following line to your AndroidManifest.xml file:

XML

<activity android:name=".MyActivity"
          android:exported="true"
          android:windowSoftInputMode="adjustPan">
  <intent-filter>
    <action android:name="android.intent.action.MAIN" />
    <category android:name="android.intent.category.LAUNCHER" />
  </intent-filter>
</activity>

To implement the REQUIRE_SECURE_ENV flag, add the following line to your AndroidManifest.xml file:

XML

<manifest ...>
  <application ...>
        …

    <property android:name="REQUIRE_SECURE_ENV" android:value="1" />

    …


  •   </application>
    </manifest>

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu