Tapjacking Vulnerability
Tapjacking Vulnerability
Description
The Tapjacking Vulnerability is a security flaw that allows an attacker to overlay malicious content or interfaces on top of legitimate applications, tricking users into interacting with the attacker's content instead. This can lead to various malicious activities, such as stealing sensitive information, capturing login credentials, or performing unauthorized actions on the user's behalf.
Below are examples of incorrect overlay handling:
<Button
android:id="@+id/buttonLogin"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:layout_marginTop="20dp"
android:text="LOGIN"
app:layout_constraintBottom_toTopOf="@id/textViewRegister"
app:layout_constraintLeft_toLeftOf="parent"
app:layout_constraintRight_toRightOf="parent"
app:layout_constraintTop_toBottomOf="@id/textInputPasswordL"
android:filterTouchesWhenObscured="false"/> // vulnerable
public class YourActivity extends AppCompatActivity {
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_your_layout);
Button yourButton = findViewById(R.id.yourButtonId);
yourButton.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View view) {
// Handle button click
}
});
}
}
class YourActivity : AppCompatActivity() {
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
setContentView(R.layout.activity_your_layout)
val yourButton: Button = findViewById(R.id.yourButtonId)
yourButton.setOnClickListener {
// Handle button click
}
}
}
Recommendation
To mitigate Tapjacking vulnerabilities in mobile applications, consider the following recommendations:
- Enable Touch Filtering: Set the
android:filterTouchesWhenObscuredattribute totruefor UI elements, such as buttons involved in authentication processes. This prevents touch events from being dispatched to obscured views, reducing the risk of Tapjacking attacks.
Note: Android S (12, SDK 31) and higher prevent tapjacking attacks by default, by blocking touch events from non-trusted overlays from another UID.
Below are examples of secure overlay handling:
<Button
android:id="@+id/buttonLogin"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:layout_marginTop="20dp"
android:text="LOGIN"
app:layout_constraintBottom_toTopOf="@id/textViewRegister"
app:layout_constraintLeft_toLeftOf="parent"
app:layout_constraintRight_toRightOf="parent"
app:layout_constraintTop_toBottomOf="@id/textInputPasswordL"
android:filterTouchesWhenObscured="true"/>
public class YourActivity extends AppCompatActivity {
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_your_layout);
Button yourButton = findViewById(R.id.yourButtonId);
yourButton.filterTouchesWhenObscured = true
yourButton.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View view) {
// Handle button click
}
});
}
}
class YourActivity : AppCompatActivity() {
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
setContentView(R.layout.activity_your_layout)
val yourButton: Button = findViewById(R.id.yourButtonId)
yourButton.isFilterTouchesWhenObscured = true
yourButton.setOnClickListener {
// Handle button click
}
}
}
Links
Standards
- OWASP_MASVS_L1:
- MSTG_PLATFORM_2
- OWASP_MASVS_L2:
- MSTG_PLATFORM_2
- PCI_STANDARDS:
- REQ_2_2
- REQ_6_2
- REQ_6_3
- OWASP_MASVS_v2_1:
- MASVS_CODE_4
- SOC2_CONTROLS:
- CC_2_1
- CC_4_1
- CC_7_1
- CC_7_2
- CC_7_4
- CC_7_5