OWASP category: MASVS-PLATFORM: Platform Interaction
Tapjacking is the Android-app equivalent of the clickjacking web vulnerability: A malicious app tricks the user into clicking a security-relevant control (confirmation button etc.) by obscuring the UI with an overlay or by other means. On this page, we differentiate two attack variants: Full and partial occlusion. In full occlusion, the attacker overlays the touch area, while in partial occlusion, the touch area remains unobscured.
Tapjacking attacks are used to trick users into performing certain actions. The impact depends on the action targeted by the attacker.
Risk: Full occlusion
In full occlusion, the attacker overlays the touch area to hijack the touch event:
Full occlusion is prevented by setting
View.setFilterTouchesWhenObscured(true) in the code. This blocks touches passed by an overlay. If you prefer a declarative approach, you can also add
android:filterTouchesWhenObscured="true" in the layout file for the
View object that you want to protect.
Risk: Partial occlusion
In partial occlusion attacks, the touch area remains unobscured:
Partial occlusion is mitigated by manually ignoring touch events that have
FLAG_WINDOW_IS_PARTIALLY_OBSCURED flag. There are no default protections against this scenario.
Potential caveat: This mitigation can interfere with benign apps. In some cases, rolling out this fix isn’t possible, as it would negatively affect the user experience when the partial occlusion is caused by a benign application.
This section gathers risks that require non-standard mitigation strategies or were mitigated at certain SDK level and are here for completeness.
SYSTEM_ALERT_WINDOW permission allows an app to create a window shown on top of all apps.
Newer versions of Android have introduced several mitigations, including the following:
- On Android 6 (API level 23) and higher, users have to explicitly grant the permission for the app to create an overlay window.
- On Android 12 (API level 31) and higher, apps can pass
Risk: Custom toast
An attacker can use
Toast.setView() to customize a toast message’s appearance. On Android 10 (API level 29) and lower, malicious apps could launch such toasts from the background.
If an app targets Android 11 (API level 30) or higher, the system blocks background custom toasts. However, this mitigation can be evaded in some circumstances using Toast burst, where the attacker queues multiple toasts while in the foreground and they keep getting launched even after an app goes to the background.
Background toasts and toast burst attacks are fully mitigated as of Android 12 (API level 31).
Risk: Activity sandwich
If a malicious app manages to convince a user to open it, it can still launch an activity from the victim app and subsequently overlay it with its own activity, forming an activity sandwich and creating a partial occlusion attack.
See general mitigations for partial occlusion. For defense in-depth, make sure that you don’t export activities that don’t need to be exported to prevent an attacker from sandwiching them.