Titanium JIRA Archive
Titanium SDK/CLI (TIMOB)

[TIMOB-28080] Android: Add "tapjacking" prevention features

GitHub Issuen/a
TypeNew Feature
PriorityHigh
StatusClosed
ResolutionFixed
Resolution Date2020-11-13T14:26:29.000+0000
Affected Version/sn/a
Fix Version/sRelease 9.3.0
ComponentsAndroid
Labelsandroid, security, touch
ReporterK Sakthivel
AssigneeJoshua Quick
Created2017-09-14T05:21:26.000+0000
Updated2020-11-13T14:26:29.000+0000

Description

*Summary:* "Tapjacking" is an Android exploit where a malicious app can display a translucent system overlay on top of other apps with the intent of intercepting touches or to trick the end-user into tapping the overlay app instead of the intended app. We need new properties/events to prevent and detect this. *Solution:* * Add boolean property "filterTouchesWhenObscured" to all Ti.UI.View derived types. When set true, will prevent all touch/click related events that have passed through another app's overlay window. * Add event "touchfiltered" to Ti.UI.Button to be fired if "filterTouchesWhenObscured" is set true and the touch event was filtered due to an overlay. This event is intended to display an alert dialog to the end-user explaining the reason why the action was blocked. * Add boolean property "obscured" to all touch/click related events. Will be true if touch event passed through another app's overlay and "filterTouchesWhenObscured" is false. Allows app developer to do manual filtering. *Note 1:* The attached [^AppcOverlay.apk] is an Android test app made by us to display a system overlay. We can use this to test the "obscure" touch event handling/filtering. *Note 2:* This was requested by customer K. Sakthivel. Please see attached conversation [^Chat - Motiur.docx] with tech-support.

Attachments

FileDateSize
AppcOverlay.apk2020-08-26T03:18:06.000+00001692778
Chat - Motiur.docx2017-09-14T05:20:36.000+000047633

Comments

  1. Sharif AbuDarda 2017-11-12

    Hello, Please share some native doc on this. Is this achievable natively? Thanks.
  2. Srinivasan Pulipakkam 2020-08-11

    [~lchoudhary] Can you please log which Android security patch you are referring to ( version number if any) or link to the patch.
  3. Joshua Quick 2020-08-11

    I believe the only solution for this is to leverage the Java View.setFilterTouchesWhenObscured() and/or View.onFilterTouchEventForSecurity() methods. https://developer.android.com/reference/android/view/View#security The simplest solution may be to call [setFilterTouchesWhenObscured(true)](https://developer.android.com/reference/android/view/View#setFilterTouchesWhenObscured(boolean)) on every Titanium managed Ti.UI.View by default... and see if we can avoid adding a new Titanium API (less is more). That said, we'll need to double check if this negatively impacts Titanium's translucent modal windows. I think it steals all touch events, which would make it okay to use, but we'll have to test it and find out.
  4. Joshua Quick 2020-08-11

    Also, setting android:exported="false" to an activity in the "AndroidManifest.xml" will avoid the tapjacking issue too. Although Titanium should not set this by default on the root activity because it would prevent its intent-filters from working. We should definitely not do this with JSActivities either. Setting "exported" to false by default for all other Titanium activities would be fine (like TiActivity which is used by the JS Ti.UI.Activity) but I don't know if that will help us if the root activity is exported. We would have to test this out to confirm.
  5. Joshua Quick 2020-08-21

    From looking at Google's own examples, they only filter touches on buttons... including dialog buttons. https://github.com/search?q=org%3Aaosp-mirror+setFilterTouchesWhenObscured&type=Code On our end, we should a boolean "filterTouchesWhenObscured" property to Ti.UI.View, Ti.UI.AlertDialog, and Ti.UI.OptionsDialog. It should default to false to maintain backward compatibility, which means app developers will need to opt-in to this feature by setting it to the individual views/buttons themselves. I'm thinking it should be opt-in because end-users do install system overlay apps (perhaps unknowingly at times). We might want to provide a "touchobscured" event to Ti.UI.Button to detect when a button has been tapped on while an overlay is on top of it. The reason is because the end-user might not know an overlay is onscreen and will be confused as to why the button doesn't work if filtered. We can't provide this event to all views unfortunately because it involves deriving from the class and overriding its [onFilterTouchEventForSecurity()](https://developer.android.com/reference/android/view/View#onFilterTouchEventForSecurity(android.view.MotionEvent)) method.
  6. Joshua Quick 2020-08-26

    PR (9.3.x): https://github.com/appcelerator/titanium_mobile/pull/11962
  7. Samir Mohammed 2020-09-28

    FR passed, Waiting on Jenkins build.
  8. Samir Mohammed 2020-11-13

    *Closing ticket*. Fix verified in SDK version 9.3.0.v20201111030553. Test and other information can be found at: https://github.com/appcelerator/titanium_mobile/pull/11962

JSON Source