fix(android): keep seed QR sheet screenshot-protected

[kanishka0411]

Summary

While checking the Android screenshot-protection follow-up from #684 I noticed the Seed QR is shown through a ModalBottomSheet.
On Android this sheet can be a separate window from the seed words screen, so I made the sheet explicitly request SecureFlagPolicy.SecureOn too. That keeps the QR path covered the same way the recovery-words screen is covered.

Testing

Testing

• just build-android
• Before: Seed QR sheet could be captured
• After: screenshot / Recents preview is blocked

Platform Coverage

• Tested on iOS device
• Tested on Android device
• Tested on iOS simulator
• Tested on Android simulator
• Not tested

Checklist

• I have read CONTRIBUTING.md
• I have read ARCHITECTURE.md

Summary by CodeRabbit

• New Features
  • Enhanced screenshot protection for the seed phrase QR code display in the bottom sheet modal.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4face9c9-d67d-4822-9907-e5faa90f9413

📥 Commits

Reviewing files that changed from the base of the PR and between 6de3b13 and 2f91c20.

📒 Files selected for processing (1)

• android/app/src/main/java/org/bitcoinppl/cove/secret_words/SecretWordsScreen.kt

---

📝 Walkthrough

Walkthrough

This change adds secure-window handling to the seed QR code bottom sheet in the SecretWordsScreen. The modification configures the ModalBottomSheet with ModalBottomSheetProperties and sets securePolicy = SecureFlagPolicy.SecureOn, ensuring sensitive QR data receives additional screenshot protection at the bottom-sheet level.

Changes

Cohort / File(s)	Summary
Secure Bottom Sheet Configuration android/app/src/main/java/org/bitcoinppl/cove/secret_words/SecretWordsScreen.kt	Adds secure-window flag policy to the seed QR bottom sheet via ModalBottomSheetProperties with SecureFlagPolicy.SecureOn to prevent screenshots of sensitive seed data.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• Block screenshots on seed phrase screens #684: Both PRs enhance screenshot protection for the seed/QR UI in SecretWordsScreen.kt through different mechanisms (screen-level FLAG_SECURE and bottom-sheet-level securePolicy configuration).

Suggested reviewers

• praveenperera

Poem

🐰 A carrot's worth of caution, indeed!
Our QR codes now safely concealed,
Screenshot thieves shall find no seed,
In encrypted bottoms, secrets sealed! 🔐

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and accurately describes the main change: adding screenshot protection to the Seed QR bottom sheet on Android.
Description check	✅ Passed	The description includes all required sections with substantive content: clear summary explaining the fix, specific testing steps, platform coverage marked, and checklist items confirmed.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR adds ModalBottomSheetProperties(securePolicy = SecureFlagPolicy.SecureOn) to the Seed QR ModalBottomSheet, ensuring its separate Android Dialog window is covered by FLAG_SECURE in the same way the parent activity window already is. The fix is minimal, correct, and directly addresses the screenshot-protection gap for the QR path.

Confidence Score: 5/5

Safe to merge — single-property change that correctly closes the FLAG_SECURE gap on the bottom sheet window.

Only one file is changed with a three-line addition using the correct Compose API. The existing activity-level FLAG_SECURE and ScreenSecurity logic is untouched. The sole finding is a P2 style suggestion about the preceding AlertDialog window, which does not expose sensitive data.

No files require special attention.

Important Files Changed

Filename	Overview
android/app/src/main/java/org/bitcoinppl/cove/secret_words/SecretWordsScreen.kt	Adds SecureFlagPolicy.SecureOn to the ModalBottomSheet properties so the Seed QR sheet's separate Android window is also protected by FLAG_SECURE, closing the screenshot-protection gap identified in #684.

Sequence Diagram

sequenceDiagram
    participant User
    participant SecretWordsScreen
    participant ActivityWindow
    participant AlertDialog
    participant ModalBottomSheet (QR)

    User->>SecretWordsScreen: Navigate to screen
    SecretWordsScreen->>ActivityWindow: FLAG_SECURE via DisposableEffect
    Note over ActivityWindow: Screenshot blocked ✓

    User->>SecretWordsScreen: Tap QR icon
    SecretWordsScreen->>AlertDialog: showSeedQrAlert = true
    Note over AlertDialog: Separate Dialog window (no seed data shown)

    User->>AlertDialog: Confirm Show QR Code
    SecretWordsScreen->>ModalBottomSheet (QR): showSeedQrSheet = true
    Note over ModalBottomSheet (QR): SecureFlagPolicy.SecureOn FLAG_SECURE on sheet window ✓

    User->>ModalBottomSheet (QR): Dismiss
    SecretWordsScreen->>ActivityWindow: clearFlags on dispose (if not sensitive)

Loading

Comments Outside Diff (1)

1. android/app/src/main/java/org/bitcoinppl/cove/secret_words/SecretWordsScreen.kt, line 254-279 (link)

   AlertDialog window may also lack FLAG_SECURE

   The AlertDialog shown at line 254 (the "Show Seed QR?" confirmation) also runs in a separate Dialog window on Android. While it doesn't render the actual seed QR bitmap, it is part of the sensitive seed-words flow. For consistency and defence-in-depth, consider applying SecureFlagPolicy.SecureOn to that dialog's window properties as well. This is low-urgency since no raw seed material is displayed there, but it would close the remaining window gap.

_{Reviews (1): Last reviewed commit: "fix(android): keep seed QR sheet screens..." | Re-trigger Greptile}