[feature/confidential-protection] Confidential Content Protection #1430
Conversation
This update introduces screenshot protection for confidentially marked views in the app and the share sheet extension. When a screenshot is taken, confidential views will not display their content in the screenshot. To discourage taking photos of confidential views, these views now include a watermark displaying the account’s email and username. Screenshot protection can be enabled via an MDM parameter. Additionally, to prevent sharing confidential data when screenshot protection or confidential view marking is enabled, the following features are disabled: - File Provider access - Shortcuts Intents - System sharing dialog actions - Copying files - Text recognition on images This behavior can be overridden using an MDM parameter; however, overriding it is not recommended.
- Adjusted watermark angle for improved alignment - Updated GitHub Action workflow: - Fetch the latest available OS version - Retrieve iPhone simulator device for the selected OS version
|
To fix CI I suggest to use this action https://github.com/marketplace/actions/mxcl-xcodebuild In a second step let's define different combinations which we want to build and test in the future |
- Updated default values for confidential MDM settings - Adjusted rotation angle for confidential text - Added a subtitle to small confidential views and modified text color opacity
- Preserved accessory views by ensuring watermarks are not applied to them - Added missing file from the last commit
hosy
changed the title
|
First, preliminary and exploratory testing, with commit Assumed: protection only affects to:
is that right? 1. Screenshot protection:Using the following set up:
ScreenRecording_12-18-2024.12-22-30_1.MP4are the username and the account sensible information? the issue is even more visible in iPad, where the sidebar menu is always in foreground.
2. Watermarkingno issues detected at this point. 3. confidential.allow-overwrite-confidential-mdm-settings
that was just a first preliminary testing, final testing will be done when CR passed. This first step helped to design the feature test plan. |
|
@hosy There is a redraw error when switching the collection view layout from list to grid or other formats. This issue needs to be fixed. |
| @@ -0,0 +1,101 @@ | |||
| // | |||
There was a problem hiding this comment.
It appears this code / ConfidentalManager (without i) is not used, has been implemented in ownCloudAppFramework/ConfidentialManager (with i) instead and this entire file can be removed.
| } | ||
|
|
||
| - (BOOL)allowScreenshots { | ||
| id value = [ConfidentialManager classSettingForOCClassSettingsKey:OCClassSettingsKeyAllowScreenshots]; |
There was a problem hiding this comment.
Please use the proper type (NSNumber * instead of id) here.
| } | ||
|
|
||
| - (BOOL)markConfidentialViews { | ||
| id value = [ConfidentialManager classSettingForOCClassSettingsKey:OCClassSettingsKeyMarkConfidentialViews]; |
There was a problem hiding this comment.
Please use the proper type (NSNumber * instead of id) here.
|
|
||
| - (BOOL)allowOverwriteConfidentialMDMSettings { | ||
| BOOL confidentialSettingsEnabled = self.confidentialSettingsEnabled; | ||
| id value = [ConfidentialManager classSettingForOCClassSettingsKey:OCClassSettingsKeyAllowOverwriteConfidentialMDMSettings]; |
There was a problem hiding this comment.
Please use the proper type (NSNumber * instead of id) here.
| @property (assign, readonly) BOOL markConfidentialViews; | ||
| @property (assign, readonly) BOOL allowOverwriteConfidentialMDMSettings; | ||
| @property (assign, readonly) BOOL confidentialSettingsEnabled; | ||
| @property (nonatomic, readonly, nullable) NSArray<NSString *> *disallowedActions; |
There was a problem hiding this comment.
Please use NSArray<OCExtensionIdentifier> * instead of NSArray<NSString *> * to make it easier to understand what that property returns.
| return secureView | ||
| } | ||
|
|
||
| let view = UIView() |
There was a problem hiding this comment.
If this line of code is reached, no screenshot-protecting CanvasView could be found and there will not be any screenshot protection.
Returning a UIView here will keep the view structure intact, but nothing will prevent a screenshot from being taken.
Something to discuss: should the app have this fallback and continue to work even if the protection no longer is in place? Should the app crash? Should that decision be determined by us (and hardcoded) - or be configurable?
| @@ -86,6 +86,12 @@ open class MoreViewHeader: UIView { | |||
|
|
|||
| private func render() { | |||
| cssSelectors = [.more, .header] | |||
|
|
|||
| let secureView = SecureTextField().secureContainerView | |||
There was a problem hiding this comment.
The suggestions about unifying the code to inject a secure container that I made in BrowserNavigationViewController.swift would also apply here.
| @@ -172,6 +172,9 @@ public class ClientLocationPicker : NSObject { | |||
| } | |||
|
|
|||
| allowedLocationFilter = { (targetLocation, context) in | |||
| OnMainThread { | |||
| self.headerView?.secureView(core: context?.core) | |||
There was a problem hiding this comment.
The use of self here might create a retain-loop.
Also view management code shouldn't be placed into this closure, if only because it could be called more than once and a new watermark view would be added on every call.
| @@ -259,7 +259,18 @@ open class ShareViewController: CollectionViewController, SearchViewControllerDe | |||
|
|
|||
| open override func viewDidLoad() { | |||
| super.viewDidLoad() | |||
|
|
|||
|
|
|||
| let secureView = SecureTextField().secureContainerView | |||
There was a problem hiding this comment.
The suggestions about unifying the code to inject a secure container that I made in BrowserNavigationViewController.swift would also apply here.
| @@ -167,10 +167,14 @@ open class CollectionViewController: UIViewController, UICollectionViewDelegate, | |||
| public override func loadView() { | |||
| super.loadView() | |||
|
|
|||
| let secureView = SecureTextField().secureContainerView | |||
There was a problem hiding this comment.
The suggestions about unifying the code to inject a secure container that I made in BrowserNavigationViewController.swift would also apply here.
Description
Confidential View and Screenshot Protection
This update introduces screenshot protection for confidentially marked views in the app and the share sheet extension. When a screenshot is taken, confidential views will not display their content in the screenshot.
To discourage taking photos of confidential views, these views now include a watermark displaying the account’s email and username.
Screenshot protection can be enabled via an MDM parameter.
File or path names displayed in UI elements that are difficult to watermark are redacted after the third character. This ensures the user can identify the file or path name to some extent, but it remains unreadable for security.
Additionally, to prevent sharing confidential data when screenshot protection or confidential view marking is enabled, the following features are disabled:
This behavior can be overridden using an MDM parameter; however, overriding it is not recommended.
MDM Parameter
confidential.allow-screenshotsconfidential.mark-confidential-viewsconfidential.allow-overwrite-confidential-mdm-settingsScreenshots
Confidential View
Screenshot Protection
Testing
Add at least one of the following MDM parameters to the
Branding.plist:confidential.allow-screenshotsBooleanNOconfidential.mark-confidential-viewsBooleanYESIf you want to allow File Provider access or Actions set the key
confidential.allow-overwrite-confidential-mdm-settingstoBooleanYES.Screenshot protection is only working on a physical device!
What to test:
Related Issue
Motivation and Context
How Has This Been Tested?
Types of changes
Checklist: