electrum icon indicating copy to clipboard operation
electrum copied to clipboard
verified publisher icon spesmilo

Electrum crashes unexpectedly when entering seed phrase (due to FLAG_SECURE anti-screenshot mechanism)

Open emja opened this issue 2 years ago • 16 comments

When creating a new wallet Electrum consistently crashes without error immediately after entering the seed words for confirmation. Same behaviour occurs when recovering with existing seed words. Same behaviour occurs when going through process of creating a new wallet, but pressing 'back' at the point of Electrum displaying the seed words. Pressing 'back' at previous steps works fine.

Symptoms persist after phone is rebooted.

  • Android 13
  • Lineage 20-20230702-NIGHTLY-river
  • Electrum 4.4.5.0 (arm64) from electrum.org

I tried using logcat to investigate, too much info and I don't know how to identify what's significant. Also don't want to naively paste here what might be sensitive information.

emja avatar Jul 05 '23 04:07 emja

A fresh install of 4.4.0.0 and 4.4.1.0 do not exhibit this issue, however 4.4.2.0 through 4.4.5.0 do.

emja avatar Jul 10 '23 08:07 emja

Starting from 4.4.2 we dynamically toggle the FLAG_SECURE flag to inhibit screenshots on pages with sensitive data. Also we use a slightly different way to load a native library. We really need logs to pinpoint this issue (can't reproduce myself).

If you use a fresh seed, and filter the logcat output by string 'python' you should not leak anything sensitive.

accumulator avatar Jul 10 '23 09:07 accumulator

Electrum_logcat.txt

Test steps:

  1. Start logcat
  2. Start Electrum 4.4.5.0
  3. Close keyboard
  4. Hit 'next' (Wallet name 'wallet_1')
  5. Hit 'next' (Standard Wallet)
  6. Hit 'next' (Create a new seed)
  7. Wait for seed, hit 'back'
  8. Crash
  9. Close logcat

emja avatar Jul 10 '23 11:07 emja

@emja thank you.

It looks like it really doesn't like the removal of the FLAG_SECURE flag, it gets confused right after. This might be LineageOS specific.

accumulator avatar Jul 10 '23 12:07 accumulator

(related https://github.com/spesmilo/electrum/issues/8351 )

SomberNight avatar Jul 10 '23 13:07 SomberNight

@emja do you use by any chance xposed?

accumulator avatar Jul 10 '23 13:07 accumulator

Nope, never used xposed.

emja avatar Jul 10 '23 22:07 emja

I also have this issue with e/OS and it works with no problem on version 4.4.1.0 Seems these security OS's have issue with it?

normanu avatar Dec 22 '23 23:12 normanu

@accumulator what do you think about adding a setting in preferences, in the advanced section, "always allow screenshots" (or sth like that), as a workaround? It would be disabled by default, but the people using non-stock ROMs could enable it and still use the application. It would work like this:

diff --git a/electrum/gui/qml/qeapp.py b/electrum/gui/qml/qeapp.py
index 38c8926516..c8a7e3847b 100644
--- a/electrum/gui/qml/qeapp.py
+++ b/electrum/gui/qml/qeapp.py
@@ -327,6 +327,8 @@ class QEAppController(BaseCrashReporter, QObject):
     def secureWindow(self, secure):
         if not self.isAndroid():
             return
+        if self.config.GUI_QML_ALWAYS_ALLOW_SCREENSHOTS:
+            return
         if self._secureWindow != secure:
             jpythonActivity.setSecureWindow(secure)
             self._secureWindow = secure

SomberNight avatar Dec 23 '23 00:12 SomberNight

good idea

accumulator avatar Dec 24 '23 13:12 accumulator

adding a setting in preferences, in the advanced section, "always allow screenshots", as a workaround

Done in https://github.com/spesmilo/electrum/commit/0dae17339d95aca91a77374c60f2dbc5ea05001d

SomberNight avatar Dec 27 '23 07:12 SomberNight

On devices where we can toggle FLAG_SECURE without crashing, it is also a bit buggy; The view doesn't take the keyboard into account anymore after removing the flag

accumulator avatar Dec 28 '23 12:12 accumulator

@accumulator in https://github.com/spesmilo/electrum/issues/8351#issuecomment-1531212699, you said

this.mActivity.getWindow().clearFlags(WindowManager.LayoutParams.FLAG_SECURE); I've added a dynamic FLAG_SECURE toggle in https://github.com/accumulator/python-for-android/commit/87249fc06adaf75d8b6be8f732a21ac7e8774857 Some testing from the app suggests you can set the flag at any time, but clearing the flag appears to be ineffective.

What device did you use when testing this?

I have now tested without the redraw-hack I suggested in https://github.com/spesmilo/electrum/issues/8351#issuecomment-1531267254, and clearing FLAG_SECURE seems to be working on my phones. I have tested (https://github.com/SomberNight/python-for-android/commit/52727ca88cbe236ae7a1f4fc2db5bbfb22f95ddc) on

  • a samsung running "stock" android 14,
  • a samsung running "stock" android 9,
  • a nexus 5x running "stock" android 8.1

and in all cases, the flag is both successfully applied and cleared, as one would expect.

Still, some comments e.g. on https://stackoverflow.com/a/56460729:

The clearFlags call is ignored if the view is finished rendering.

This solution does not work on older Android versions. I've noticed it only works in Android 8 and above.

also hint at issues with clearFlags().

So, I propose we try removing the redraw-hack. I hope that is what is causing the crashes described in this issue. Perhaps on some phones clearFlags() won't actually clear FLAG_SECURE, and then those phones will not be able to take screenshots (unless they set the config flag). However that is better than crashing on other phones.

SomberNight avatar Feb 21 '24 19:02 SomberNight

@accumulator in #8351 (comment), you said

this.mActivity.getWindow().clearFlags(WindowManager.LayoutParams.FLAG_SECURE); I've added a dynamic FLAG_SECURE toggle in accumulator/python-for-android@87249fc Some testing from the app suggests you can set the flag at any time, but clearing the flag appears to be ineffective.

What device did you use when testing this?

At the time I tested with a samsung stock android 7 and an android 10 or 11 aliendalvik and a number of android versions in a (x86) emulator.

I have now tested without the redraw-hack I suggested in #8351 (comment), and clearing FLAG_SECURE seems to be working on my phones. I have tested (SomberNight/python-for-android@52727ca) on

* a samsung running "stock" android 14,

* a samsung running "stock" android 9,

* a nexus 5x running "stock" android 8.1

and in all cases, the flag is both successfully applied and cleared, as one would expect.

Great!

Still, some comments e.g. on https://stackoverflow.com/a/56460729:

The clearFlags call is ignored if the view is finished rendering.

Not sure how to interpret 'finished rendering' as Qt uses a single view as a canvas. But, as the clearFlags without the hack seems to work for your test phones..

This solution does not work on older Android versions. I've noticed it only works in Android 8 and above.

also hint at issues with clearFlags().

So, I propose we try removing the redraw-hack. I hope that is what is causing the crashes described in this issue. Perhaps on some phones clearFlags() won't actually clear FLAG_SECURE, and then those phones will not be able to take screenshots (unless they set the config flag). However that is better than crashing on other phones.

Agreed.

accumulator avatar Feb 22 '24 09:02 accumulator

Seems to work without hack as well here on android 14

accumulator avatar Feb 22 '24 09:02 accumulator

So, I propose we try removing the redraw-hack. I hope that is what is causing the crashes described in this issue.

Done in https://github.com/spesmilo/electrum/commit/b84a7508a36c492a4abf8785460fb2a251e02097

SomberNight avatar Feb 22 '24 12:02 SomberNight