Anti‑Screenshot and Screen‑Recording Protection Strategies for Mobile Applications (iOS & Android)

In mobile application development, protecting user privacy and preventing the leakage of sensitive information through screen capture or recording is a critical security concern. This article introduces common techniques for preventing screenshots and screen recordings on both Android and iOS platforms, and describes a practical implementation within the Baidu Account SDK.

Android Platform

Since Android 4.2 (API level 17), the system provides the FLAG_SECURE window flag, which marks a window as secure and blocks its content from appearing in screenshots or on non‑secure displays. Developers can enable this flag in an Activity with:

getWindow().addFlags(WindowManager.LayoutParams.FLAG_SECURE);

When a screenshot is attempted, the system shows a toast saying “禁止屏幕抓取”. When a screen recording is started, the video file is saved as a black screen, while the device continues to operate normally.

/** Window flag: treat the content of the window as secure, preventing
 * it from appearing in screenshots or from being viewed on non-secure
 * displays.
 */
public static final int FLAG_SECURE = 0x00002000;

Internally, the Android graphics system creates a Surface for each Activity . When FLAG_SECURE is set, the corresponding Surface is marked as SECURE , and SurfaceFlinger blocks capture of that layer:

bool canCaptureBlackoutContent = hasCaptureBlackoutContentPermission();
if (!canCaptureBlackoutContent && parent->getDrawingState().flags & layer_state_t::eLayerSecure) {
    ALOGW("Attempting to capture secure layer: PERMISSION_DENIED");
    return PERMISSION_DENIED;
}

iOS Platform

iOS does not provide a direct API to block screenshots or recordings. Instead, developers can rely on system notifications:

UIApplicationUserDidTakeScreenshotNotification (available since iOS 7) is posted after a user takes a screenshot.

UIScreenCapturedDidChangeNotification (available since iOS 11) notifies when the screen is being recorded, mirrored, or AirPlay‑ed. The property UIScreen.isCaptured indicates the current capture state.

// Notification posted after a screenshot is taken
UIKIT_EXTERN NSNotificationName const UIApplicationUserDidTakeScreenshotNotification API_AVAILABLE(ios(7.0));

// Notification posted when screen capture state changes
UIKIT_EXTERN NSNotificationName const UIScreenCapturedDidChangeNotification API_AVAILABLE(ios(11.0)) API_UNAVAILABLE(visionos);

Starting with iOS 13, setting secureTextEntry = true on a UITextField causes its content to be rendered as a blank area in screenshots and recordings. By adding custom subviews to the private UITextLayoutCanvasView of the text field, developers can create a protected view hierarchy that becomes invisible when a capture occurs.

Implementation in Baidu Account SDK

The SDK integrates both Android and iOS protection mechanisms. On the Android side, the SDK toggles FLAG_SECURE via a native method (e.g., xxx_forbid_record ) based on a status parameter. On iOS, the SDK listens to the screenshot and screen‑capture notifications and shows a warning dialog when a capture is detected while the protection flag is enabled.

Key steps in the iOS SDK implementation:

In the WebView controller, register for UIApplicationUserDidTakeScreenshotNotification (and UIScreenCapturedDidChangeNotification on iOS 11+).

Distinguish between screenshot and recording scenarios and present appropriate alerts.

When the front‑end (FE) enables protection, set a local flag; the SDK checks both the flag and whether the current view is visible before showing any alert.

Conclusion

Anti‑screenshot and anti‑recording features are essential for mobile app security, especially for applications handling financial, medical, or other high‑sensitivity data. Although iOS lacks a direct system‑level API like Android’s FLAG_SECURE , the combination of notification‑based detection and UI tricks can substantially reduce the risk of information leakage. Developers should balance user experience with security requirements and adopt the protection strategies that best fit their application scenarios.