Android research toolkit for studying the FLAG_SECURE screen capture protection mechanism. Implements multiple bypass techniques including Xposed hooks, SurfaceFlinger analysis, MediaProjection workarounds, and virtual display capture for security research and testing.
| Technique | Requirement | Effectiveness | Android Versions |
|---|---|---|---|
| Xposed Hook | Root + Xposed/LSPosed | High | 5.0 - 15 |
| SurfaceFlinger Capture | Root | High | 5.0 - 13 |
| MediaProjection VirtualDisplay | MediaProjection permission | Low-Medium | 5.0 - 12 |
| ADB Shell Capture | ADB access | Medium | 5.0 - 15 |
| Framebuffer Read | Root | Medium | 5.0 - 10 |
Strips FLAG_SECURE at multiple interception points:
Window.setFlags()- Removes secure bit before it reaches WindowManagerWindowManager.LayoutParams.copyFrom()- Intercepts layout parameter propagationSurfaceControl.Transaction.setSecure()- Blocks native secure flag enforcementActivity.onResume()/Dialog.show()- Clears flag after application sets it
Direct root-level capture via the hardware compositor:
- Root
screencapbypasses software secure flag checks - SurfaceFlinger service calls for compositor-level capture
- Layer enumeration and per-layer secure flag manipulation
Virtual display flag manipulation:
VIRTUAL_DISPLAY_FLAG_OWN_CONTENT_ONLYcapture attemptsVIRTUAL_DISPLAY_FLAG_PUBLICdisplay creation- Reflection-based internal API access for modified parameters
Shell-level capture using elevated permissions:
screencapfrom shell UID contextscreenrecordfor video capture- Framebuffer device direct read
# Clone the repository
git clone https://github.com/bypasscore/flag-secure-bypass.git
cd flag-secure-bypass
# Build debug APK
./gradlew assembleDebug
# Install on device
adb install app/build/outputs/apk/debug/app-debug.apk- Android Studio Iguana or later
- Android SDK 35
- JDK 17
- Rooted device for SurfaceFlinger and Xposed techniques
- Xposed/LSPosed framework for hook-based bypass
app/src/main/java/com/bypasscore/flagsecure/
MainActivity.java - Main UI with technique controls
capture/
ScreenCapture.java - Base MediaProjection capture
VirtualDisplayCapture.java - Virtual display capture engine
bypass/
XposedBypass.java - Xposed hook module
SurfaceFlingerBypass.java - Root SurfaceFlinger capture
MediaProjectionBypass.java - VirtualDisplay flag manipulation
AdbCapture.java - ADB shell capture
analysis/
FlagDetector.java - Detect FLAG_SECURE applications
WindowAnalyzer.java - Window property inspection
utils/
RootHelper.java - Root detection and shell execution
PermissionManager.java - Runtime permission handling
docs/
flag-secure-internals.md - FLAG_SECURE implementation details
bypass-techniques.md - Technique catalog and analysis
tests/
FlagDetectorTest.java - Unit tests
Read the full technical writeup:
How to Screen Record Protected Apps: FLAG_SECURE Bypass
This toolkit is intended for security research, penetration testing, and educational purposes only. Understanding FLAG_SECURE bypass techniques helps developers build more robust screen capture protections. Use responsibly and only on devices you own or have authorization to test.
MIT License - see LICENSE for details.
- Email: contact@bypasscore.com
- Telegram: @bypasscore
- Web: bypasscore.com
If you find this research useful, consider supporting development:
| Network | Address |
|---|---|
| Polygon | 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a |
| Ethereum | 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a |
| BSC | 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a |
| Arbitrum | 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a |
| Optimism | 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a |
| Avalanche | 0xd0f38b51496bee61ea5e9e56e2c414b607ab011a |