{ "id": "169770", "key": "TIMOB-28080", "fields": { "issuetype": { "id": "2", "description": "A new feature of the product, which has yet to be developed.", "name": "New Feature", "subtask": false }, "project": { "id": "10153", "key": "TIMOB", "name": "Titanium SDK/CLI", "projectCategory": { "id": "10100", "description": "Titanium and related SDKs used in application development", "name": "Client" } }, "fixVersions": [ { "id": "21052", "description": "", "name": "Release 9.3.0", "archived": false, "released": true, "releaseDate": "2020-12-14" } ], "resolution": { "id": "1", "description": "A fix for this issue is checked into the tree and tested.", "name": "Fixed" }, "resolutiondate": "2020-11-13T14:26:29.000+0000", "created": "2017-09-14T05:21:26.000+0000", "priority": { "name": "High", "id": "2" }, "labels": [ "android", "security", "touch" ], "versions": [], "issuelinks": [], "assignee": { "name": "jquick", "key": "jquick", "displayName": "Joshua Quick", "active": true, "timeZone": "America/Los_Angeles" }, "updated": "2020-11-13T14:26:29.000+0000", "status": { "description": "The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.", "name": "Closed", "id": "6", "statusCategory": { "id": 3, "key": "done", "colorName": "green", "name": "Done" } }, "components": [ { "id": "10202", "name": "Android", "description": "Android Platform" } ], "description": "*Summary:*\r\n\"Tapjacking\" is an Android exploit where a malicious app can display a translucent system overlay on top of other apps with the intent of intercepting touches or to trick the end-user into tapping the overlay app instead of the intended app.\r\n\r\nWe need new properties/events to prevent and detect this.\r\n\r\n*Solution:*\r\n* Add boolean property \"filterTouchesWhenObscured\" to all {{Ti.UI.View}} derived types. When set {{true}}, will prevent all touch/click related events that have passed through another app's overlay window.\r\n* Add event \"touchfiltered\" to {{Ti.UI.Button}} to be fired if \"filterTouchesWhenObscured\" is set {{true}} and the touch event was filtered due to an overlay. This event is intended to display an alert dialog to the end-user explaining the reason why the action was blocked.\r\n* Add boolean property \"obscured\" to all touch/click related events. Will be {{true}} if touch event passed through another app's overlay and \"filterTouchesWhenObscured\" is {{false}}. Allows app developer to do manual filtering.\r\n\r\n*Note 1:*\r\nThe attached [^AppcOverlay.apk] is an Android test app made by us to display a system overlay. We can use this to test the \"obscure\" touch event handling/filtering.\r\n\r\n*Note 2:*\r\nThis was requested by customer K. Sakthivel. Please see attached conversation [^Chat - Motiur.docx] with tech-support.\r\n", "attachment": [ { "id": "67497", "filename": "AppcOverlay.apk", "author": { "name": "jquick", "key": "jquick", "displayName": "Joshua Quick", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2020-08-26T03:18:06.000+0000", "size": 1692778, "mimeType": "application/vnd.android.package-archive" }, { "id": "63255", "filename": "Chat - Motiur.docx", "author": { "name": "ksakthivel", "key": "ksakthivel", "displayName": "K Sakthivel ", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2017-09-14T05:20:36.000+0000", "size": 47633, "mimeType": "application/vnd.openxmlformats-officedocument.wordprocessingml.document" } ], "flagged": false, "summary": "Android: Add \"tapjacking\" prevention features", "creator": { "name": "ksakthivel", "key": "ksakthivel", "displayName": "K Sakthivel ", "active": true, "timeZone": "America/Los_Angeles" }, "subtasks": [], "reporter": { "name": "ksakthivel", "key": "ksakthivel", "displayName": "K Sakthivel ", "active": true, "timeZone": "America/Los_Angeles" }, "environment": "Need option to overcome the Tapjacking issue in android and IOS devices", "closedSprints": [ { "id": 1204, "state": "closed", "name": "2020 Sprint 17", "startDate": "2020-08-17T15:48:00.000Z", "endDate": "2020-08-28T15:48:00.000Z", "completeDate": "2020-08-31T15:36:28.040Z", "originBoardId": 114 }, { "id": 1205, "state": "closed", "name": "2020 Sprint 18", "startDate": "2020-08-31T15:45:10.220Z", "endDate": "2020-09-11T15:45:00.000Z", "completeDate": "2020-09-11T19:56:20.674Z", "originBoardId": 114 }, { "id": 1206, "state": "closed", "name": "2020 Sprint 19", "startDate": "2020-09-14T20:01:00.000Z", "endDate": "2020-09-25T20:01:00.000Z", "completeDate": "2020-09-28T15:30:19.875Z", "originBoardId": 114 } ], "comment": { "comments": [ { "id": "430465", "author": { "name": "sdarda", "key": "sdarda", "displayName": "Sharif AbuDarda", "active": false, "timeZone": "Asia/Dhaka" }, "body": "Hello, Please share some native doc on this. Is this achievable natively? Thanks.", "updateAuthor": { "name": "sdarda", "key": "sdarda", "displayName": "Sharif AbuDarda", "active": false, "timeZone": "Asia/Dhaka" }, "created": "2017-11-12T19:15:38.000+0000", "updated": "2017-11-12T19:15:38.000+0000" }, { "id": "456423", "author": { "name": "spulipakkam", "key": "spulipakkam", "displayName": "Srinivasan Pulipakkam", "active": true, "timeZone": "America/Los_Angeles" }, "body": "[~lchoudhary] Can you please log which Android security patch you are referring to ( version number if any) or link to the patch.", "updateAuthor": { "name": "spulipakkam", "key": "spulipakkam", "displayName": "Srinivasan Pulipakkam", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2020-08-11T22:25:27.000+0000", "updated": "2020-08-11T22:25:36.000+0000" }, { "id": "456425", "author": { "name": "jquick", "key": "jquick", "displayName": "Joshua Quick", "active": true, "timeZone": "America/Los_Angeles" }, "body": "I believe the only solution for this is to leverage the Java {{View.setFilterTouchesWhenObscured()}} and/or {{View.onFilterTouchEventForSecurity()}} methods.\r\nhttps://developer.android.com/reference/android/view/View#security\r\n\r\nThe simplest solution may be to call [setFilterTouchesWhenObscured(true)|https://developer.android.com/reference/android/view/View#setFilterTouchesWhenObscured(boolean)] on every Titanium managed {{Ti.UI.View}} by default... and see if we can avoid adding a new Titanium API (less is more).\r\n\r\nThat said, we'll need to double check if this negatively impacts Titanium's translucent modal windows. I think it steals all touch events, which would make it okay to use, but we'll have to test it and find out.", "updateAuthor": { "name": "jquick", "key": "jquick", "displayName": "Joshua Quick", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2020-08-11T23:18:59.000+0000", "updated": "2020-08-11T23:18:59.000+0000" }, { "id": "456427", "author": { "name": "jquick", "key": "jquick", "displayName": "Joshua Quick", "active": true, "timeZone": "America/Los_Angeles" }, "body": "Also, setting {{android:exported=\"false\"}} to an activity in the \"AndroidManifest.xml\" will avoid the tapjacking issue too. Although Titanium should not set this by default on the root activity because it would prevent its intent-filters from working. We should definitely not do this with JSActivities either. Setting \"exported\" to {{false}} by default for all other Titanium activities would be fine (like {{TiActivity}} which is used by the JS {{Ti.UI.Activity}}) but I don't know if that will help us if the root activity is exported. We would have to test this out to confirm.", "updateAuthor": { "name": "jquick", "key": "jquick", "displayName": "Joshua Quick", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2020-08-11T23:48:10.000+0000", "updated": "2020-08-11T23:48:10.000+0000" }, { "id": "456540", "author": { "name": "jquick", "key": "jquick", "displayName": "Joshua Quick", "active": true, "timeZone": "America/Los_Angeles" }, "body": "From looking at Google's own examples, they only filter touches on buttons... including dialog buttons.\r\nhttps://github.com/search?q=org%3Aaosp-mirror+setFilterTouchesWhenObscured&type=Code\r\n\r\nOn our end, we should a boolean \"filterTouchesWhenObscured\" property to {{Ti.UI.View}}, {{Ti.UI.AlertDialog}}, and {{Ti.UI.OptionsDialog}}. It should default to {{false}} to maintain backward compatibility, which means app developers will need to opt-in to this feature by setting it to the individual views/buttons themselves. I'm thinking it should be opt-in because end-users do install system overlay apps (perhaps unknowingly at times).\r\n\r\nWe might want to provide a \"touchobscured\" event to {{Ti.UI.Button}} to detect when a button has been tapped on while an overlay is on top of it. The reason is because the end-user might not know an overlay is onscreen and will be confused as to why the button doesn't work if filtered. We can't provide this event to all views unfortunately because it involves deriving from the class and overriding its [onFilterTouchEventForSecurity()|https://developer.android.com/reference/android/view/View#onFilterTouchEventForSecurity(android.view.MotionEvent)] method.", "updateAuthor": { "name": "jquick", "key": "jquick", "displayName": "Joshua Quick", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2020-08-21T04:43:30.000+0000", "updated": "2020-08-21T04:43:30.000+0000" }, { "id": "456586", "author": { "name": "jquick", "key": "jquick", "displayName": "Joshua Quick", "active": true, "timeZone": "America/Los_Angeles" }, "body": "PR (9.3.x): https://github.com/appcelerator/titanium_mobile/pull/11962", "updateAuthor": { "name": "jquick", "key": "jquick", "displayName": "Joshua Quick", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2020-08-26T03:18:36.000+0000", "updated": "2020-08-26T03:18:36.000+0000" }, { "id": "457048", "author": { "name": "smohammed", "key": "smohammed", "displayName": "Samir Mohammed", "active": true, "timeZone": "America/Los_Angeles" }, "body": "FR passed, Waiting on Jenkins build. ", "updateAuthor": { "name": "smohammed", "key": "smohammed", "displayName": "Samir Mohammed", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2020-09-28T14:00:11.000+0000", "updated": "2020-09-28T14:00:11.000+0000" }, { "id": "457510", "author": { "name": "smohammed", "key": "smohammed", "displayName": "Samir Mohammed", "active": true, "timeZone": "America/Los_Angeles" }, "body": "*Closing ticket*. Fix verified in SDK version {{9.3.0.v20201111030553}}.\r\n\r\nTest and other information can be found at:\r\nhttps://github.com/appcelerator/titanium_mobile/pull/11962", "updateAuthor": { "name": "smohammed", "key": "smohammed", "displayName": "Samir Mohammed", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2020-11-13T14:25:39.000+0000", "updated": "2020-11-13T14:25:39.000+0000" } ], "maxResults": 13, "total": 13, "startAt": 0 } } }