Attack techniques overview

Recently, a new pixel stealing attack called Pixnapping has been demonstrated by researchers. The attack successfully leaked secrets from Android apps such as Google Authenticator through a timing side-channel attributable to GPU graphical data compression. In the case of Google Authenticator, the researchers were able to optimize the attack in such a way that the secret digits on screen could be recovered before their 30 second expiration window. Expanding this attack to other kinds of secrets, such as private conversations or the Google Maps location timeline was shown to be possible in principle. However, due to the lack of an optimized approach here, the volume of data to extract would be much bigger and the attack would take multiple hours, making it less practical.

Recommended defense tactics

We recommend using view hiding and restoring.