zlacker

> prevents me from taking screenshots if an app author doesn't want me to

The most frustrating part about this "feature" is that you don't know it's enabled until the screenshot is taken and you're left with a picture of nothing.

That and some app authors thinking they're protecting you with this (referring to banking apps in particular)

>>hypeat+(OP)
Pretty sure Twitch on iOS does this now. Screen recording still works though.

>>hypeat+(OP)
Now consider the fact that an arbitrary other app can take a screenshot clandestinely, via API. Would you like it to happen when you're looking at the summary of your accounts? your list of credit card numbers?

The problem is that certain actions should only be acceptable if initiated by the user, physically. Think of the way Ctrl+Alt+Del works in Windows. This, of course, is not possible if you don't have enough fingers for the action, or something; here comes the loophole of assistive technologies, widely (ab)used for that on most platforms.

>>hypeat+(OP)
I want to send my new IBAN to my company, I can, no screenshot allowed on the screen with banking information. So I need to log on their website to do it. At least my new bank allows such screenshot and to copy account information directly from the app.

>>Foobar+4i
Two mirrors will make it allowed.

>>Foobar+4i
There is a special place in hell for people providing non copyable text information in the form of screenshots.

>>looofo+lj
Perhaps true, but some modern OSes (like macOS and iOS) allow you to copy text from screenshots. And since the text quality of screenshots is typically good, it works well.

>>looofo+lj
Do you prefer a voice message instead? /s

>>hypeat+(OP)
In some sense they are. But being protected either from a consequence of my own stupidity or a consequence of their lack of security. I think the worst part of all is that these "bandaids" are being used in place of actual security. I don't need to be protected from my own stupidity nor do I need security theater.

>>looofo+lj
It's amazing how many "little" things there are like this. Like I honestly can't remember the last time I filled out a form which required something like my country and I didn't have to scroll to find it. All the information's there to make a good guess. But this is just one example of a million. There's just too many papercuts.

>>looofo+lj
The other day I wanted to send someone proof that a transaction has gone through. A screenshot would have been the obvious choice, but of course, my banking app wouldn't let me do it.

>>Foobar+4i
They literally had me photocopy the phone screen because of the same issue.

>>NicuCa+1q
A screenshot would also be trivial to counterfeit. That being said, I am not aware of any banks that provide any actually tamper-proof, shareable transaction confirmations.

>>godels+Hm
It doesn't really protect anything though, because you can always just use an external camera to take a picture of your screen.

>>Aerroo+Fu
Its probably meant to try mitigate damage in case bad actor gets remote access to your phone or you have malware.

>>nine_k+Le
That’s why taking screenshots should be a runtime permission thing.

>>godels+Hm
I think the threat model here is that a different, malicious app (compromised, installed accidentally or by the means of social engineering) might take screenshots of your screen and forward them to take advantage of you. You can file this under one's "own stupidity" as well, sure, but in the end they're not protecting you, they're protecting themselves, because banks might be liable for these kind of things, and by imposing these restrictions, they're reducing the amount of fraud and thus improve their bottom line.

>>looofo+lj
Modern life is full of these tiny inconveniences. It usually involves some sort of "smart" devices, like light switches, stoves, elevator buttons, etc. Each one of which could be forgivable, but in sum it's like death by a thousand paper cuts.

User hostile UI in the name of security is particularly bad: we are supposed to type unique and complicated passwords in text fields without being able to see what we type, and if we get it wrong, we are put in timeout for two seconds. Citrix Netscaler nowadays apparently wants to be extra secure and shows you the most generic error message if you have a typo in either your password or user name and just tells you to "try again later", so you do until you lock yourself out. It's madness.

>>hypeat+(OP)
Jesus Christ!

Who are the product designers of the present with these single-minded attitude not checking how the implementation affects the life of paying customers< Children?! Most take pride - on paper! - about what one can do 'so easily' with their product, just to raise barricades getting there, using it, or those pop up suddenly while using it, bumping into it like into a bollard ona highway. Or just chain them to it against will! I am not aiming at Android only here as this is a generic attitude I found from organization being so self obsessed about what THEY want that no-one else benefits, no-one else have real benefits - only mixed ones with sizeable drawbacks -, defying the purpose of having modern technology. When the life becomes differently complicated, then that is no progress at all, just messing around. I am thinking three, four, or more times nowadays buying any technology, which is sad, as I was so enthusiastic only one but especially two decades ago, discovering advances and gadgets. Not anymore. I spend my money - and TIME! - on things bringing benefit or joy instead, or on those I am FORCED into. Yes, this obsession of providing non-technology services (banking, bureaucracy, identification, ...) apps first (sometimes only, at least to various, sometimes important details of the use/access) which is a hugely demanding matter on users (choose, purchase, pay, setup, learn, re-learn, update, maintain, subscribe, know and accept terms, charge, protect, both physically and data wise, click away suggestions and self promotions while busy with something important) that it is a very bitter pill to swallow.

>>mr_mit+Rz
I see this argument everywhere and I've never heard of a case where a bank was liable because a customer was phished. I've even asked for examples and nobody ever provided them.

It's one thing to argue in court that they should be liable because they didn't provide you with the necessary security tools (like MFA), but they all provide at least SMS 2FA these days and their apps run on iOS and Android, both of which have plenty of security features.

>>hypeat+(OP)
You're tech savvy enough, you're not the target for such a feature. The target is the grandmas and grandpas, and other people who have no idea about such things.

>>looofo+lj
At this point you can just use google lens or something like that to copy text from images.

>>mr_mit+Rz
> they're protecting themselves

[citation needed]

The theory here is that it provides a marginal security improvement if there is malware on the phone, but if there is malware on the phone then there are a hundred other things it can do to the same effect and you're likely screwed anyway. And by doing this, you also block the user from taking screenshots, which is bad, because screenshots are harder for computers to parse, and that's a marginal security advantage. If the user is going to send e.g. their account number to someone else (for a legitimate reason), it's better that they do it as a screenshot than that you force them to type it as text, because text is machine searchable. Which is worse when that messaging system gets compromised and then the attacker can do a text search for a pattern matching a bank routing number and be more likely to discover that message than if it was only there in a JPG.

Meanwhile the primary consequence of preventing screenshots is to inconvenience customers, which is an actual cost to the bank, because there is only a threshold amount of BS customers will put up with before switching banks and banks are constantly pushing up against that line already with all of their other BS.

But then the lower-quality banks do it anyway because there is a box they can check which sounds like it's locking something down, so they check it without thinking. Which is a great canary for customers who want to know if their bank is dumb -- if they require this then they probably do all kinds of other dumb stuff and it's a strong indication you should switch banks before you get screwed by them doing some other foolish nonsense.

>>microt+pm
Windows with power toys and android have it too.

The Penny supermarkt app on android disables both screenshots and text selection with the error that it is disabled by admin.

>>franga+eM
If a bank is required to reverse fraudulent charges (and they are), that means they're liable for those charges.

>>franga+eM
In reality what happened is that some security auditor put it into a checklist for the mobile app "Security ISO certificate++" and now everyone implements it for compliance.

Fighting against that is insane paperwork and professional exposure for software engineers that do it (since if people get phished, the C-suite will point a finger at a tech lead which went against the "professional security audit").

Most of other posts here are just post-rationalization and victim blaming.

>>Aerroo+Fu
It protects less proficient users from accidentally taking a screenshot.

>>mr_mit+Rz
Are you implying that Google is unable to distinguish whether a screenshot is triggered via a combination of hardware buttons vs via a software call from another app that isn't even on the foreground in their own ecosystem? That's a quite sad state of affairs, isn't it?

>>Foobar+4i
Why not copy it from the App?

>>looofo+lj
At least the days of those screenshot being pasted into a Microsoft Word document are mostly behind us now...

>>Anthon+nQ
>because screenshots are harder for computers to parse, and that's a marginal security advantage. If the user is going to send e.g. their account number to someone else (for a legitimate reason), it's better that they do it as a screenshot than that you force them to type it as text, because text is machine searchable. Which is worse when that messaging system gets compromised and then the attacker can do a text search for a pattern matching a bank routing number and be more likely to discover that message than if it was only there in a JPG.

Tbf it is 2025, not 2010, it isnt that hard

>>Cloude+Dv
If your phone is remotely rooted, the screenshot is providing no security.

>>shmel+mX
I've been unimpressed with Google's commitment to making the fundamentals of Android great. They seem to prefer doing the minimum required there and putting all their efforts into something more sexy, like generating fake photos that look like they were taken with a 2400mm lens.

I don't want my phone to generate fake photos; I do want it to always let me manually take screenshots, but require turning on a permission that's a little awkward to find to allow an app to do so.

>>NicuCa+1q
Why does a third party want to know the transaction occured?

These seems a bit like a scam. Why can't they ask the recevier?

>>hypeat+(OP)
It is not for preventing you from taking screenshots, if you insist, you can do it with another camera. It is to prevent malware and "helpful" AI tools from doing it for you and then uploading the picture to who knows where. Signal does this too, though I think it is optional.

Beyond preventing screenshots, it blacks out the window content in the task switcher, which is useful if someone is looking over your shoulder. This, by the way, is a good way to check if screenshots are allowed. If the window appears black in the task switcher, screenshots won't work.

The idea is similar to the "**" password fields.

>>looofo+lj
And PDF documents in image form. Usually scans of printed copies.

It is fine for historical documents, but doing today means you really want to piss people off. And by the way, PDF files support signatures, both handwritten and digital. There are ways other than printing a 100+ page document and scanning it just so that your signature shows up on a single one of these pages.

>>mr_mit+Rz
There was a Microsoft Terminal Server "monitoring" application that worked by recording the screen through a series of JPG screenshots. It worked surprisingly well and bypassed all kinds of controls.

>>GuB-42+Gh1
I mean if the goal is to prevent potential malicious apps from taking screenshots automatically; instead of saving a clueless user from themselves or worse getting in the way of legitimate users I believe that the proper solution is to disallow programmatic screenshots while still allowing screenshots when there is the correct button press (and ensure that this cannot be emulated). Windows reserves ctrl-alt-delete as a direct signal to the kernel for security purposes. Why can't android do the same?

>>hypeat+(OP)
> The most frustrating part about this "feature" is that you don't know it's enabled until the screenshot is taken and you're left with a picture of nothing.

That's doesn't sound right. On mine, a message is displayed saying that the app does not allow screenshots, and no image is written to the device.

>>GuB-42+Gh1
It's really stupid idea, that results in photos of sensitive information displayed on my device on other devices that I don't control and sensitive information wrote on paper in random places.

Password fields are inputs. Screens are bi-directional.

>>shmel+mX
When you don’t control the hardware a lot is off the table.

>>teaear+ai2
This is a fine excuse for most everyone, but not Google. They can control the hardware significantly and in some cases like pixel, completely.

They no longer believe in owner control. Either that or they consider themselves the device owner, which is even worse IMHO

>>thmsth+vo1
> the proper solution

includes the ability from a user to take screenshots programmatically in case of need. You do not want third parties to be able to; you want the User (yourself) to be able to.

>>mr_mit+Rz
I think you made bad assumptions. If I installed the APK through a third party, sure, my bad. But then I agree with shmel, that there's still some blame on Google. Like why not have a default where we disable screenshots not performed by a physical action and have an advanced option for API based screenshots? It's not bulletproof but neither is the current implementation.

But if I install via the playstore like most people then no, I don't think it's the user's fault. Testing every single app seems like a big ask but we're also talking about a 3 trillion dollar company. I mean FFS a 1 trillion dollar company didn't even exist 10 years ago and 10 years before that a 500b company barely did. So I think they can stand to lose some profits and do harder work. Really, if we don't hold these companies to high standards then that bar just continues lower and it's a race to the bottom. They'll be as lazy as we let them be

>>teaear+ai2
Sounds like a marketing opportunity to sell more Pixels and get closer to their current dream of becoming Apple

>>izacus+XS
So let's have more of these conversations so the idiots making those standards make fewer dumb rules and we can grease the wheels for anyone passionate enough to try to get it changed

>>high_n+291
Tbf, one could make the argument that there would have been far fewer resources dedicated to computer vision had companies made the data more accessible and had we modified PDFs to make it easier to copy test.

People will go to great lengths to bypass annoyances. Excessive false alarms is even called "alarm fatigue"

>>Cloude+Dv
Sounds like they need to spend more money on security and their "good enough" solutions aren't actually good enough.

>>GuB-42+Gh1
Then ask for my fingerprint after screenshot is made.

>>Foobar+4i
I have checked all my mobile banking apps (3 czech, 1 slovak, 1 lithuanian bank) and all of them can copy my IBAN.

>>godels+4w2
Unfortunately the idiots are often the nation's security agency, or a large consulting company.

You will not have them change their policies if they do not have a good person inside, who will slowly move the boat.

I fought for audit findings because they were pissing me off at a personal level and it wirked. But the auditor did not change their procedure, just reverted the finding. Until the next year.

>>Brando+uZ2
I think you're making the naïve assumption that large organizations are heterogeneous.

The people at the top are idiots because the idiots were able to secure advisory positions. They were able to secure positions because those promoting them were either tricked or idiots themselves. This pattern repeated all the way down.

So I really do mean grease the wheels. And I really mean we won't kill the beast overnight. But we won't make any progress towards fixing things if we won't look at how the problems are created in the first place. We'll only perpetuate the problems if we oversimplify things, as that's exactly what got us into this mess in the first place.

>>GuB-42+Gh1
So in other words, the developers of Android could not figure out how to design a system that could distinguish a screenshot that was initiated by the user versus one initiated by software.

Very impressive.

>>NicuCa+1q
I don't know about your bank/countries, but all of the banking apps in my country I've seen have 1. a "share account details" button that lets you easily paste your IBAN and other details in text form and 2. a "transaction receipt" button that saves a .pdf with the relevant details, that can be sent to the other part (although I agree with the other comment, this .pdf just like a screenshot can be easily spoofed)

>>high_n+291
Isn't it though? You compromise some email provider so that you have read access to the emails of a million people going back 20 years. Literally many billions of emails with petabytes of attachments. Can you do text search on all of that text? Absolutely, an ordinary PC could do that in a realistic amount of time. Can you search the text within all of those images using some kind of computer vision system? Not without your own power plant.

>>caddzo+7s3
i mean, security in depth is a good thing to me.

>>NicuCa+1q
At least in SEPA you have instant payment, which is even better than any proof of the start of the transaction.

>>Anthon+Xd4
>Absolutely, an ordinary PC could do that in a realistic amount of time

Bilions of emails? No, it cannot, not even store it, let alone process it fast enough to make usable

>>godels+ch3
> I think you're making the naïve assumption that large organizations are heterogeneous.

Maybe, but this is what I managed to gather through a 30-year career in tech, in three huge companies, from IT management to SVP.