[TIMOB-28080] Android: Add "tapjacking" prevention features
GitHub Issue | n/a |
Type | New Feature |
Priority | High |
Status | Closed |
Resolution | Fixed |
Resolution Date | 2020-11-13T14:26:29.000+0000 |
Affected Version/s | n/a |
Fix Version/s | Release 9.3.0 |
Components | Android |
Labels | android, security, touch |
Reporter | K Sakthivel |
Assignee | Joshua Quick |
Created | 2017-09-14T05:21:26.000+0000 |
Updated | 2020-11-13T14:26:29.000+0000 |
Description
*Summary:*
"Tapjacking" is an Android exploit where a malicious app can display a translucent system overlay on top of other apps with the intent of intercepting touches or to trick the end-user into tapping the overlay app instead of the intended app.
We need new properties/events to prevent and detect this.
*Solution:*
* Add boolean property "filterTouchesWhenObscured" to all Ti.UI.View
derived types. When set true
, will prevent all touch/click related events that have passed through another app's overlay window.
* Add event "touchfiltered" to Ti.UI.Button
to be fired if "filterTouchesWhenObscured" is set true
and the touch event was filtered due to an overlay. This event is intended to display an alert dialog to the end-user explaining the reason why the action was blocked.
* Add boolean property "obscured" to all touch/click related events. Will be true
if touch event passed through another app's overlay and "filterTouchesWhenObscured" is false
. Allows app developer to do manual filtering.
*Note 1:*
The attached [^AppcOverlay.apk] is an Android test app made by us to display a system overlay. We can use this to test the "obscure" touch event handling/filtering.
*Note 2:*
This was requested by customer K. Sakthivel. Please see attached conversation [^Chat - Motiur.docx] with tech-support.
Attachments
Hello, Please share some native doc on this. Is this achievable natively? Thanks.
[~lchoudhary] Can you please log which Android security patch you are referring to ( version number if any) or link to the patch.
I believe the only solution for this is to leverage the Java
View.setFilterTouchesWhenObscured()
and/orView.onFilterTouchEventForSecurity()
methods. https://developer.android.com/reference/android/view/View#security The simplest solution may be to call [setFilterTouchesWhenObscured(true)](https://developer.android.com/reference/android/view/View#setFilterTouchesWhenObscured(boolean)) on every Titanium managedTi.UI.View
by default... and see if we can avoid adding a new Titanium API (less is more). That said, we'll need to double check if this negatively impacts Titanium's translucent modal windows. I think it steals all touch events, which would make it okay to use, but we'll have to test it and find out.Also, setting
android:exported="false"
to an activity in the "AndroidManifest.xml" will avoid the tapjacking issue too. Although Titanium should not set this by default on the root activity because it would prevent its intent-filters from working. We should definitely not do this with JSActivities either. Setting "exported" tofalse
by default for all other Titanium activities would be fine (likeTiActivity
which is used by the JSTi.UI.Activity
) but I don't know if that will help us if the root activity is exported. We would have to test this out to confirm.From looking at Google's own examples, they only filter touches on buttons... including dialog buttons. https://github.com/search?q=org%3Aaosp-mirror+setFilterTouchesWhenObscured&type=Code On our end, we should a boolean "filterTouchesWhenObscured" property to
Ti.UI.View
,Ti.UI.AlertDialog
, andTi.UI.OptionsDialog
. It should default tofalse
to maintain backward compatibility, which means app developers will need to opt-in to this feature by setting it to the individual views/buttons themselves. I'm thinking it should be opt-in because end-users do install system overlay apps (perhaps unknowingly at times). We might want to provide a "touchobscured" event toTi.UI.Button
to detect when a button has been tapped on while an overlay is on top of it. The reason is because the end-user might not know an overlay is onscreen and will be confused as to why the button doesn't work if filtered. We can't provide this event to all views unfortunately because it involves deriving from the class and overriding its [onFilterTouchEventForSecurity()](https://developer.android.com/reference/android/view/View#onFilterTouchEventForSecurity(android.view.MotionEvent)) method.PR (9.3.x): https://github.com/appcelerator/titanium_mobile/pull/11962
FR passed, Waiting on Jenkins build.
*Closing ticket*. Fix verified in SDK version
9.3.0.v20201111030553
. Test and other information can be found at: https://github.com/appcelerator/titanium_mobile/pull/11962