feat: screen capture detection (#29)

* Add Screen Capture detection and prevention

* run prettier for formating ts files

* add ios support

* feat: register screen recording after Talsec.start

* Update android/build.gradle

Co-authored-by: Tomas Psota <72520867+tompsota@users.noreply.github.com>

* Update android/build.gradle

Co-authored-by: Tomas Psota <72520867+tompsota@users.noreply.github.com>

* Update android/build.gradle

Co-authored-by: Tomas Psota <72520867+tompsota@users.noreply.github.com>

* fix PR Comments

* feat: apply minifyEnabled in the plugin

* fix PR Comments

* chore: add dev team to ios example

* release: freeRASP 1.10.0

* feat(Android): add registered flag to screen protector

* Update CHANGELOG.md

---------

Co-authored-by: Tomas Psota <to.psota@gmail.com>
Co-authored-by: Tomas Psota <72520867+tompsota@users.noreply.github.com>

Author: Ahmad-Ayman

CHANGELOG.md

@@ -5,6 +5,46 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.10.0] - 2025-03-05
+
+- iOS SDK version:  6.8.0
+- Android SDK version: 14.0.1
+
+### Capacitor
+
+#### Added
+
+- `blockScreenCapture` method to block/unblock screen capture
+- `isScreenCaptureBlocked` method to get the current screen capture blocking status
+- New callbacks:
+    - `screenshot`: Detects when a screenshot is taken
+    - `screenRecording`: Detects when screen recording is active
+
+#### Changed
+
+- Raised Android compileSDK level to 35
+- Set minifyEnabled in plugin to `true` implicitly on Android
+
+### Android
+
+#### Added
+
+- Passive and active screenshot/screen recording protection
+
+#### Changed
+
+- Improved root detection
+
+#### Fixed
+
+- Proguard rules to address warnings from okhttp dependency
+
+### iOS
+
+#### Added
+
+- Passive Screenshot/Screen Recording detection
+
 ## [1.9.0] - 2024-12-29
 
 - iOS SDK version:  6.6.3

android/build.gradle

@@ -27,19 +27,17 @@ apply plugin: 'kotlinx-serialization'
 
 android {
     namespace "com.aheaditec.freerasp"
-    compileSdkVersion project.hasProperty('compileSdkVersion') ? rootProject.ext.compileSdkVersion : 33
+    compileSdk 35
     defaultConfig {
         minSdkVersion 23
-        targetSdkVersion project.hasProperty('targetSdkVersion') ? rootProject.ext.targetSdkVersion : 33
+        targetSdkVersion 35
         versionCode 1
         versionName "1.0"
         testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"
-        // now, the rule skips all classes of Capacitor plugin for freeRASP
-        consumerProguardFiles 'consumer-rules.pro'
     }
     buildTypes {
         release {
-            minifyEnabled false
+            minifyEnabled true
             proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
         }
     }
@@ -78,5 +76,5 @@ dependencies {
     androidTestImplementation "androidx.test.ext:junit:$androidxJunitVersion"
     androidTestImplementation "androidx.test.espresso:espresso-core:$androidxEspressoCoreVersion"
 
-    implementation 'com.aheaditec.talsec.security:TalsecSecurity-Community-Capacitor:13.2.0'
+    implementation 'com.aheaditec.talsec.security:TalsecSecurity-Community-Capacitor:14.0.1'
 }

android/consumer-rules.pro

@@ -19,3 +19,5 @@
 # If you keep the line number information, uncomment this to
 # hide the original source file name.
 #-renamesourcefileattribute SourceFile
+
+-dontwarn java.lang.invoke.StringConcatFactory

android/proguard-rules.pro

@@ -1,5 +1,6 @@
 package com.aheaditec.freerasp
 
+import android.os.Build
 import android.os.Handler
 import android.os.HandlerThread
 import android.os.Looper
@@ -17,7 +18,6 @@ import com.getcapacitor.PluginCall
 import com.getcapacitor.PluginMethod
 import com.getcapacitor.annotation.CapacitorPlugin
 import org.json.JSONArray
-import java.lang.Exception
 
 @CapacitorPlugin(name = "Freerasp")
 class FreeraspPlugin : Plugin() {
@@ -38,8 +38,16 @@ class FreeraspPlugin : Plugin() {
             listener.registerListener(context)
             bridge.activity.runOnUiThread {
                 Talsec.start(context, talsecConfig)
+                mainHandler.post {
+                    talsecStarted = true
+                    // This code must be called only AFTER Talsec.start
+                    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
+                        ScreenProtector.register(activity)
+                    }
+                    call.resolve(JSObject().put("started", true))
+                }
             }
-            call.resolve(JSObject().put("started", true))
+
         } catch (e: Exception) {
             call.reject(
                 "Error during Talsec Native plugin initialization - ${e.message}",
@@ -49,6 +57,13 @@ class FreeraspPlugin : Plugin() {
         }
     }
 
+    override fun handleOnStart() {
+        super.handleOnStart()
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
+            ScreenProtector.register(activity)
+        }
+    }
+
     override fun handleOnPause() {
         super.handleOnPause()
         if (activity.isFinishing) {
@@ -65,6 +80,13 @@ class FreeraspPlugin : Plugin() {
         }
     }
 
+    override fun handleOnStop() {
+        super.handleOnStop()
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
+            ScreenProtector.unregister(activity)
+        }
+    }
+
     override fun handleOnDestroy() {
         super.handleOnDestroy()
         backgroundHandlerThread.quitSafely()
@@ -142,6 +164,49 @@ class FreeraspPlugin : Plugin() {
         }
     }
 
+    /**
+     * Method to set screen capture state
+     * @param enable Pass `true` to block screen capture, `false` to enable it
+     */
+    @PluginMethod
+    fun blockScreenCapture(call: PluginCall) {
+        val enable = call.getBoolean("enable") ?: run {
+            call.reject(
+                "Enable argument is missing or not a boolean.", "MissingArgumentError"
+            )
+            return
+        }
+
+        activity?.runOnUiThread {
+            try {
+                Talsec.blockScreenCapture(context, enable)
+                call.resolve(JSObject().put("result", true))
+            } catch (e: Exception) {
+                call.reject(
+                    "Error while setting screen capture: ${e.message}", "BlockScreenCaptureError"
+                )
+            }
+        } ?: run {
+            call.reject("Cannot block screen capture, activity is null.", "BlockScreenCaptureError")
+        }
+    }
+
+    /**
+     * Method to check if screen capturing is currently blocked
+     */
+    @PluginMethod
+    fun isScreenCaptureBlocked(call: PluginCall) {
+        try {
+            val isBlocked = Talsec.isScreenCaptureBlocked()
+            call.resolve(JSObject().put("result", isBlocked))
+        } catch (e: Exception) {
+            call.reject(
+                "Error while checking if screen capture is blocked: ${e.message}",
+                "IsScreenCaptureBlockedError"
+            )
+        }
+    }
+
     internal fun notifyListeners(threat: Threat) {
         notifyListeners(THREAT_CHANNEL_NAME, JSObject().put(THREAT_CHANNEL_KEY, threat.value), true)
     }
@@ -179,6 +244,7 @@ class FreeraspPlugin : Plugin() {
         return talsecBuilder.build()
     }
 
+
     companion object {
         private val THREAT_CHANNEL_NAME = (10000..999999999).random()
             .toString() // name of the channel over which threat callbacks are sent
@@ -189,5 +255,7 @@ class FreeraspPlugin : Plugin() {
         private val backgroundHandlerThread = HandlerThread("BackgroundThread").apply { start() }
         private val backgroundHandler = Handler(backgroundHandlerThread.looper)
         private val mainHandler = Handler(Looper.getMainLooper())
+
+        internal var talsecStarted = false
     }
 }

android/src/main/java/com/aheaditec/freerasp/FreeraspPlugin.kt

@@ -0,0 +1,162 @@
+package com.aheaditec.freerasp
+
+import android.annotation.SuppressLint
+import android.app.Activity
+import android.app.Activity.ScreenCaptureCallback
+import android.content.Context
+import android.content.pm.PackageManager
+import android.os.Build
+import android.util.Log
+import android.view.WindowManager.SCREEN_RECORDING_STATE_VISIBLE
+import androidx.annotation.RequiresApi
+import androidx.core.content.ContextCompat
+import com.aheaditec.talsec_security.security.api.Talsec
+import java.util.function.Consumer
+
+@RequiresApi(Build.VERSION_CODES.UPSIDE_DOWN_CAKE)
+internal object ScreenProtector {
+    private const val TAG = "TalsecScreenProtector"
+    private const val SCREEN_CAPTURE_PERMISSION = "android.permission.DETECT_SCREEN_CAPTURE"
+    private const val SCREEN_RECORDING_PERMISSION = "android.permission.DETECT_SCREEN_RECORDING"
+    private var registered = false
+    private val screenCaptureCallback = ScreenCaptureCallback { Talsec.onScreenshotDetected() }
+    private val screenRecordCallback: Consumer<Int> = Consumer<Int> { state ->
+        if (state == SCREEN_RECORDING_STATE_VISIBLE) {
+            Talsec.onScreenRecordingDetected()
+        }
+    }
+
+    /**
+     * Registers screenshot and screen recording detector with the given activity
+     *
+     * **IMPORTANT**: android.permission.DETECT_SCREEN_CAPTURE and
+     * android.permission.DETECT_SCREEN_RECORDING must be
+     * granted for the app in the AndroidManifest.xml
+     */
+    internal fun register(activity: Activity) {
+        if (!FreeraspPlugin.talsecStarted || registered) {
+            return
+        }
+
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
+            registerScreenCapture(activity)
+        }
+
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.VANILLA_ICE_CREAM) {
+            registerScreenRecording(activity)
+        }
+        registered = true
+    }
+
+    /**
+     * Register Talsec Screen Capture (screenshot) Detector for given activity instance.
+     * The MainActivity of the app is registered by the plugin itself, other
+     * activities bust be registered manually as described in the integration guide.
+     *
+     * Missing permission is suppressed because the decision to use the screen
+     * capture API is made by developer, and not enforced by the library.
+     *
+     * **IMPORTANT**: android.permission.DETECT_SCREEN_CAPTURE (API 34+) must be
+     * granted for the app in the AndroidManifest.xml
+     */
+    @SuppressLint("MissingPermission")
+    @RequiresApi(Build.VERSION_CODES.UPSIDE_DOWN_CAKE)
+    private fun registerScreenCapture(activity: Activity) {
+        val context = activity.applicationContext
+        if (!hasPermission(context, SCREEN_CAPTURE_PERMISSION)) {
+            reportMissingPermission("screenshot", SCREEN_CAPTURE_PERMISSION)
+            return
+        }
+
+        activity.registerScreenCaptureCallback(context.mainExecutor, screenCaptureCallback)
+    }
+
+    /**
+     * Register Talsec Screen Recording Detector for given activity instance.
+     * The MainActivity of the app is registered by the plugin itself, other
+     * activities bust be registered manually as described in the integration guide.
+     *
+     * Missing permission is suppressed because the decision to use the screen
+     * capture API is made by developer, and not enforced by the library.
+     *
+     * **IMPORTANT**: android.permission.DETECT_SCREEN_RECORDING (API 35+) must be
+     * granted for the app in the AndroidManifest.xml
+     */
+    @SuppressLint("MissingPermission")
+    @RequiresApi(Build.VERSION_CODES.VANILLA_ICE_CREAM)
+    private fun registerScreenRecording(activity: Activity) {
+        val context = activity.applicationContext
+        if (!hasPermission(context, SCREEN_RECORDING_PERMISSION)) {
+            reportMissingPermission("screen record", SCREEN_RECORDING_PERMISSION)
+            return
+        }
+
+        val initialState = activity.windowManager.addScreenRecordingCallback(
+            context.mainExecutor, screenRecordCallback
+        )
+        screenRecordCallback.accept(initialState)
+
+    }
+
+    /**
+     * Unregisters screenshot and screen recording detector with the given activity
+     *
+     * **IMPORTANT**: android.permission.DETECT_SCREEN_CAPTURE and
+     * android.permission.DETECT_SCREEN_RECORDING must be
+     * granted for the app in the AndroidManifest.xml
+     */
+    @SuppressLint("MissingPermission")
+    @RequiresApi(Build.VERSION_CODES.UPSIDE_DOWN_CAKE)
+    internal fun unregister(activity: Activity) {
+        if (!FreeraspPlugin.talsecStarted || !registered) {
+            return
+        }
+
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
+            unregisterScreenCapture(activity)
+        }
+
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.VANILLA_ICE_CREAM) {
+            unregisterScreenRecording(activity)
+        }
+        registered = false
+    }
+
+    // Missing permission is suppressed because the decision to use the screen capture API is made
+    // by developer, and not enforced by the library.
+    @SuppressLint("MissingPermission")
+    @RequiresApi(Build.VERSION_CODES.UPSIDE_DOWN_CAKE)
+    private fun unregisterScreenCapture(activity: Activity) {
+        val context = activity.applicationContext
+        if (!hasPermission(context, SCREEN_CAPTURE_PERMISSION)) {
+            return
+        }
+        activity.unregisterScreenCaptureCallback(screenCaptureCallback)
+    }
+
+    // Missing permission is suppressed because the decision to use the screen capture API is made
+    // by developer, and not enforced by the library.
+    @SuppressLint("MissingPermission")
+    @RequiresApi(Build.VERSION_CODES.VANILLA_ICE_CREAM)
+    private fun unregisterScreenRecording(activity: Activity) {
+        val context = activity.applicationContext
+        if (!hasPermission(context, SCREEN_RECORDING_PERMISSION)) {
+            return
+        }
+
+        activity.windowManager?.removeScreenRecordingCallback(screenRecordCallback)
+    }
+
+    private fun hasPermission(context: Context, permission: String): Boolean {
+        return ContextCompat.checkSelfPermission(
+            context, permission
+        ) == PackageManager.PERMISSION_GRANTED
+    }
+
+    private fun reportMissingPermission(protectionType: String, permission: String) {
+        Log.e(
+            TAG,
+            "Failed to register $protectionType callback. Check if $permission permission is granted in AndroidManifest.xml"
+        )
+    }
+}

android/src/main/java/com/aheaditec/freerasp/ScreenProtector.kt

@@ -25,6 +25,8 @@ internal sealed class Threat(val value: Int) {
     object DevMode : Threat((10000..999999999).random())
     object Malware : Threat((10000..999999999).random())
     object ADBEnabled : Threat((10000..999999999).random())
+    object Screenshot : Threat((10000..999999999).random())
+    object ScreenRecording : Threat((10000..999999999).random())
 
     companion object {
         internal fun getThreatValues(): JSONArray {
@@ -44,7 +46,9 @@ internal sealed class Threat(val value: Int) {
                     ObfuscationIssues.value,
                     DevMode.value,
                     Malware.value,
-                    ADBEnabled.value
+                    ADBEnabled.value,
+                    Screenshot.value,
+                    ScreenRecording.value
                 ))
             )
         }