I’d like to report an information leak in the app when the app is in suspended mode (i.e. I switch to another app to perform some other task).
When you see Revolut in the overview carousel you can see a thumbnail of the area you were in the app before you switched. When you switch back, the app will request your pin number and hide the information however the information is visible before that.
Steps to Reproduce
- Enter the Revolut app normally (you can leave it on the list of transactions screen)
- Switch to another app (it doesn’t matter which one) via the OVERVIEW button or any other means
- Tap the OVERVIEW button again. This will display the list of running app and you will see that Revolut still displays a preview of the last state the app was in
- Tap on the Revolut app and it will ask you for the pin number
When we switch to another app from Revolut it should switch to PIN mode immediately to prevent information disclosure.
I’m using the latest version of Revolut with Android 7.1.1. My phone is a BQ Aquaris X5 Plus.