How to programmatically detect if any screen recording process/app is running in Android?

Question

I don't want users to take screenshot or record screen of my app. I have added secure flag to the window. This prevents user from taking screenshots and recording screen.

If the screen recording is on, my app prevents the content from being recorded but the audio gets recorded.

On some rooted devices, the secure flags may not work as expected. So I just want to detect if any screen recording app/process is running in background so that I can hide sensitive data and prevent it from being recorded.

Is there any way I can detect if the screen recording is on?

Answer 1

Is there any way I can detect if the screen recording is on?

No.

So I just want to detect if any screen recording app/process is running in background so that I can hide sensitive data and prevent it from being recorded.

Since screen recording does not require a recording-specific app or a process (e.g., adb shell screenrecord), and since you have no way of knowing particular apps or processes that are using the media projection API, this seems impractical. And, on modern versions of Android, you have no way of knowing what other processes are running, anyway. Plus, there is nothing stopping the user from pointing another camera at the device screen and recording its contents that way.

I don't want users to take screenshot or record screen of my app

Then do not write the app. The idea behind FLAG_SECURE is to help defend the user against third parties, not to defend the developer against the user.

Answer 2

The answer here is really just general for security. Once data flows to someone's device then you must assume that they can get full, unrestricted access to it. Everything else is in some sense just obfuscation. It is just making it a little more difficult at best. Even if the device's software provides some protection, the user has physical access to the device and can root it. At some point data has to be unencrypted and deobfuscated, so that it can be shown to the user and a malicious user can MITM that. If you want better security then it needs to be provided by the device via hardware. This was a big issue with movies being streamed to mobile devices at first. Device's needed a special hardware encrypted channel that decrypts to some ungodly amount of data per second making it difficult to write back to a disk if someone tried to MITM the unencrypted data on it's way to the screen.

Now the above is just to show that it is impossible to guarntee that you can control the data when it goes to a user's device. Instead, you should take a step back and ask what you are trying to accomplish? What type of behavior are you trying to prevent? If a small number of technically savvy users are able to workaround your protections, is that okay or a big deal? What is an acceptable rate of data "leaking". This really depends on how sensitive the data is and what type of guarantee you are telling users you have over it. This aspect is 100% the most critical part. If you are telling users that the data they sent is guaranteed to be ephemeral then that is impossible. Trying to build that and patch all the holes and play the whack a mole game is a losing battle. The only way to win is not to play.