Semgrep rule mastg-android-sensitive-data-in-screenshot does not detect FLAG_SECURE in many APKs due to decompiler constant substitution #3529
cann3v
started this conversation in
MASWE & MASTG v2 Beta Feedback
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Type: Bug / Rule Improvement
Area: Semgrep rules (Android)
Rule: mastg-android-sensitive-data-in-screenshot
Problem Description
The current Semgrep rule intended to detect the usage of WindowManager.LayoutParams.FLAG_SECURE relies on matching:
addFlags(0x2000)addFlags(WindowManager.LayoutParams.FLAG_SECURE)addFlags(8192)However, this approach is unreliable for APK analysis because detection depends entirely on how the Java code is reconstructed by a decompiler.
Different decompilers frequently substitute the original constant with any other public static final int that shares the same numeric value (0x2000).
Example:
Instead of:
a decompiler may output:
Both refer to the same integer value (0x2000), but the current Semgrep rule fails to detect such cases.
This results in false negatives, causing incorrect evaluations.
Example
Original code:
After decompiling via JADX:
Proposed Fix
There are two potential solutions.
Option A – Add a Smali-based Semgrep rule (recommended)
This is the most reliable and decompiler-agnostic approach. Smali represents bytecode directly, so the constant 0x2000 is preserved exactly.
For example:
This guarantees detection across all APKs, regardless of decompiler behavior.
Option B – Extend the existing Java rule
Add all known alternative constant names that may appear due to decompiler substitution, e.g.:
Updated section of the rule:
This reduces false negatives but still depends on the decompiler and may require maintenance as new aliases appear.
Additional Notes
Beta Was this translation helpful? Give feedback.
All reactions