One of the behind-the-scenes levers in Android that app publishers and even device manufacturers on the system side of things can pull to protect any contents from being purloined with a screengrab of any sort is the secure flag (that’s FLAG_SECURE for the devs in the back). It’s great for enforcing copyright to the chagrin of DRM haters everywhere —there are ways of getting around it, but fewer than there were years ago and, as such, more complex — but it’s also terrific for protecting the goods in your password manager. But do you really need that sort of coverage when you’re just trying to share your Wi-Fi credentials with visitors at your house? Google seems to think so.
The renowned explorer of Android Mishaal Rahman picked up ona Google Issue Tracker threadfrom yesterday where a Pixel 7 owner onAndroid 13 QPR2 Beta 3was just trying to screenshot the QR code off of the Wi-Fi sharing page — which, by the way, requires authentication if you’ve set it up to access. But instead of getting a proper screenshot, all they got was a blank screen.
We were able to reproduce it on a Pixel 6a with the same beta.
“Why do I need to ask Google’s permission to take a screenshot on my own phone,” lamented the complainant, “and why can Google deny it? Why does Google prevent me from using my own phone the way I want to? Is it mandatory to use a custom ROM to enjoy my own devices? I don’t understand.”
A Google engineer promptly responded, saying that the feature was working as intended and will not be fixed. Further user sanctimony commenced with a couple more comments downstream.
Rahman notes that FLAG_SECURE was actually added to the Wi-Fi sharing activity back withQPR2 Beta 1, just very quietly.
Wi-Fi credential sharing through QR codes is about a half-step more secure than sharing a plaintext password, which you can’t do right from the network selection menu. That doesn’t help in certain situations where you’re trying to log onto the network with a new device that doesn’t support reading QR codes — which aregreat things, if you haven’t heard — and you can’t remember the actual password off-hand.
Without the secure flag, users could screenshot andread the QR codeon their home Android device to get the plaintext password (also listed underneath said QR code on Pixels, but not every Android device) that they could then input to their destination device. With the flag in place, well, everything’s just that much more difficult if you need to involve a third device that can read QR codes or if you need to root your phone to bypass the flag.
But God forbid we have to ask a barista or IT for the password again.
