mohammedGrech
commented
1 year ago As per the official Android developer website, Tapjacking can cause the following risks:
Risk: Full occlusion Mitigations: "Full occlusion is prevented by setting View.setFilterTouchesWhenObscured(true) in the code. This blocks touches passed by an overlay. If you prefer a declarative approach, you can also add android:filterTouchesWhenObscured="true" in the layout file for the View object that you want to protect."
The latter approach was taken into consideration since there are a number of views on the application. Below is an instance of the setup on each layout:
Note: please refer to the last line of code: <?xml version="1.0" encoding="utf-8"?> <RelativeLayout xmlns:android="http://schemas.android.com/apk/res/android" xmlns:app="http://schemas.android.com/apk/res-auto" xmlns:tools="http://schemas.android.com/tools" android:layout_width="match_parent" android:layout_height="match_parent" android:background="@color/white" android:layout_gravity="top" android:orientation="vertical" tools:context=".MainActivity" android:filterTouchesWhenObscured="true">
Risk: Partial occlusion Mitigations "Partial occlusion is mitigated by manually ignoring touch events that have FLAG_WINDOW_IS_PARTIALLY_OBSCURED flag. There are no default protections against this scenario".
Malicious applications which tricks the user by having an overlay on top.
Please refer to the ticket #025 on basecamp for the risk assessment of the security consultant https://3.basecamp.com/5557999/buckets/31472726/card_tables/cards/5909045847