Testing for Overlay Attacks
To test for overlay attacks you need to check the app for usage of certain APIs and attributed typically used to protect against overlay attacks as well as check the Android version that app is targeting.
To mitigate these attacks please carefully read the general guidelines about Android View security in the Android Developer Documentation. For instance, the so-called touch filtering is a common defense against tapjacking, which contributes to safeguarding users against these vulnerabilities, usually in combination with other techniques and considerations as we introduce in this section.
To start your static analysis you can check the app for the following methods and attributes (non-exhaustive list):
onFilterTouchEventForSecurityfor more fine-grained control and to implement a custom security policy for views.
- Set the layout attribute
android:filterTouchesWhenObscuredto true or call
- Check FLAG_WINDOW_IS_OBSCURED (since API level 9) or FLAG_WINDOW_IS_PARTIALLY_OBSCURED (starting on API level 29).
Some attributes might affect the app as a whole, while others can be applied to specific components. The latter would be the case when, for example, there is a business need to specifically allow overlays while wanting to protect sensitive input UI elements. The developers might also take additional precautions to confirm the user's actual intent which might be legitimate and tell it apart from a potential attack.
As a final note, always remember to properly check the API level that app is targeting and the implications that this has. For instance, Android 8.0 (API level 26) introduced changes to apps requiring
SYSTEM_ALERT_WINDOW ("draw on top"). From this API level on, apps using
TYPE_APPLICATION_OVERLAY will be always shown above other windows having other types such as
TYPE_SYSTEM_ALERT. You can use this information to ensure that no overlay attacks may occur at least for this app in this concrete Android version.
Abusing this kind of vulnerability on a dynamic manner can be pretty challenging and very specialized as it closely depends on the target Android version. For instance, for versions up to Android 7.0 (API level 24) you can use the following APKs as a proof of concept to identify the existence of the vulnerabilities.
- Tapjacking POC: This APK creates a simple overlay which sits on top of the testing application.
- Invisible Keyboard: This APK creates multiple overlays on the keyboard to capture keystrokes. This is one of the exploit demonstrated in Cloak and Dagger attacks.