Open In App

Tapjacking in Android

Last Updated : 05 Feb, 2023
Improve
Improve
Like Article
Like
Save
Share
Report

Just as the world is progressing towards a more advanced state, and operating systems getting more and more sophisticated, so are the people who want to hijack them for their benefit. The new standard of a security breach is Tapjacking which is getting a serious concern in many countries and needs some fixes to be safe. In this article, we will learn about what is Tapjacking and how can you be a developer to prevent it from happening in your Android Application.

Tapjacking in Andorid

Tapjacking is a type of mobile application security vulnerability that occurs on the Android operating system. It allows an attacker to overlay a malicious application on top of a legitimate one, creating a fake user interface that tricks the user into performing actions that they did not intend to, such as granting permissions or making in-app purchases. 

How Tapjacking Occurs?

Tapjacking can happen when an app does not properly validate user input or does not use Android’s system touch event APIs correctly. Developers can prevent tapjacking by using the FLAG_NOT_TOUCHABLE window flag and checking for the ACTION_FAKE action in the onTouchEvent() method. Additionally, they can use the TYPE_APPLICATION_OVERLAY window type to create windows that are not touchable.

Analyzing the Impact on the User

Attacks known as tapjacking are used to deceive users into taking specific activities. The effect is determined by the attack’s target action. There are a lot of potential outcomes when any image can be displayed inside the view. 

A dishonest developer can then employ a thought-provoking visual (such as celebrity images, etc.) or a phony UI as a lure to push users into interacting with the hidden activity because a toast view merely transmits a user’s tap or swipe to the activity behind it. This might expose users to dangers including downloading malicious software, making online purchases, signing up for premium services, and even erasing the OS.

GeekTip: An attacker can alter the look of a Toast message by using Toast.setView(). Such toasts could be launched from the background by malicious apps on Android 10 (API level 29) and before.

Types of Tapjacking

In general, there are two types of tapjacking that occur natively on Android Apps, which are:

  1. Fully Covered Tapjacking: All the content is hidden behind an overlay that is fully opaque, and the user cannot determine which UI is the clear one, this is really very decisive.
  2. Partially Covered Tapjacking: There is a translucent layer over the content which appears to be a part of the UI, and the user is driven into the belief that it is the actual UI.

We will look at the images below that explain each one of them in detail:

Type #1: Fully Covered Tapjacking

To hijack the touch event, the attacker completely occludes the touch area:

The Fully Covered Tapjacking

Image #1: The Fully Covered Tapjacking

Type #2: The Partially Covered Typejacking

Attacks with partial occlusion do not cover the touch area:

The Partially Covered Tapjacking

Image #2: The Partially Covered Tapjacking

As you may see in Image #1 and Image #2, there are two main types of tapjacks, and they are notorious for letting the user believe that the UI which they are working on, is the one which is correct. An example of an app asking for permissions is shown in both images.

Preventing TapJacking in Android 13

Full occlusion attacks are automatically stopped by Android 12 and are improved in Android 13 and higher by rejecting touch events from untrusted overlays from different UIDs. The Fully Covered one can also be prevented, the developer just has to make sure that, In the code, setFilterTouchesWhenObscured is set to (true). This prohibits touches while an overlay is present

Also in the case of a Partial Covered scenario, there is a reduced safety mechanism because it is a little hard to protect. One way to do this is by explicitly disregarding touch events with the FLAG_WINDOW_IS PARTIALLY_OBSCURED flag, partial occlusion can be reduced. 

There are no built-in safeguards against this situation. The system disables background custom toasts when an app is designed to run on Android 11 (API level 30) or higher. The use of Toast burst, in which the attacker queues several toasts while in the foreground and they continue to fire even after an app switches to the background, can, however, avoid this mitigation in some situations. As of Android 12, background toasts and toast burst, attacks have been completely mitigated (API level 31).

Conclusion

Make sure you don’t export activities that shouldn’t be exported for defense in depth to avoid an adversary from sandwiching them. Hope this article helped you understand what Tapjacking is and how Google is taking preventive measures from protecting users from such attacks in the latest releases.


Like Article
Suggest improvement
Next
Task Hijacking in Android
Share your thoughts in the comments

Similar Reads

Android Manifest File in Android
Android | Android Application File Structure
What's Android Interface Definition Language (AIDL) in Android?
Android | Running your first Android app
How to Clone Android Project from GitHub in Android Studio?
How to Add OpenCV library into Android Application using Android Studio?
8 Best Android Libraries That Every Android Developer Should Know
How to Add Audio Files to Android App in Android Studio?
How to Add Firebase Analytics to Android App in Android Studio?
Different Ways to Change Android SDK Path in Android Studio
author
therebootedcoder
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox