[Android][Security] How to prevent Tapjacking

pichillilorenzo / flutter_inappwebview

A Flutter plugin that allows you to add an inline webview, to use a headless webview, and to open an in-app browser window.

https://inappwebview.dev

Apache License 2.0

3.15k stars 1.47k forks source link

[Android][Security] How to prevent Tapjacking #2002

Open ShuheiSuzuki-07 opened 7 months ago

ShuheiSuzuki-07 commented 7 months ago

[x] I have read the Getting Started section
[x] I have already searched for the same problem

Environment

Technology	Version
Flutter version	3.3.10
Plugin version	~6.0.0
Android version	Android 11 or lower
iOS version	-
macOS version	-
Xcode version	-
Google Chrome version	-

Device information:

Description

Expected behavior: Inability to perform Tapjacking

Current behavior: Tapjacking is possible on InAppBrowser

Learn more about Tapjacking https://developer.android.com/privacy-and-security/risks/tapjacking?hl=ja#risk_full_occlusion

Steps to reproduce

launch the Tapjacking attack app (this app is not harmful).
Auto start example app
confirm that InAppBrowser can be operated under the Tapjacking app.

Images

attack

tapjacking demo app

Demo app is below tapjackingdemo.apk.zip

The source code for demo app is below Tapjacking-ExportedActivity.zip

github-actions[bot] commented 7 months ago

👋 @ShuheiSuzuki-07

NOTE: This comment is auto-generated.

Are you sure you have already searched for the same problem?

Some people open new issues but they didn't search for something similar or for the same issue. Please, search for it using the GitHub issue search box or on the official inappwebview.dev website, or, also, using Google, StackOverflow, etc. before posting a new one. You may already find an answer to your problem!

If this is really a new issue, then thank you for raising it. I will investigate it and get back to you as soon as possible. Please, make sure you have given me as much context as possible! Also, if you didn't already, post a code example that can replicate this issue.

In the meantime, you can already search for some possible solutions online! Because this plugin uses native WebView, you can search online for the same issue adding android WebView [MY ERROR HERE] or ios WKWebView [MY ERROR HERE] keywords.

Following these steps can save you, me, and other people a lot of time, thanks!

pichillilorenzo commented 7 months ago

Thanks, I didn’t know about that! I will add some settings to enable/disable the specific View settings as written in the Android URL docs.

ShuheiSuzuki-07 commented 7 months ago

@pichillilorenzo Thanks for the quick reply. I am happy to be of service. I will send you the APK file of the app to try Tapjacking in action, as well as the APK file of the app. I have also attached the source code in case you are unsure about running the APK file. Please do not hesitate to contact me.

Avijaygovinda commented 6 months ago

@ShuheiSuzuki-07 Hi, can you please share us, how to prevent from tapjacking, it will helpful for lots of flutter devolopers.

ShuheiSuzuki-07 commented 6 months ago

@Avijaygovinda

I am not a security expert but I will answer. For Flutter apps, just incorporate the following code into the onCreate method of MainActivity.kt.

    val view = findViewById<View>(android.R.id.content).rootView
    view.filterTouchesWhenObscured = true

But if you are using InAppBrowser in flutter_inappwebview it will work in a different Activity than MainActivity. Therefore, it is necessary for the creator of the plugin to take care of this. So I opened this issue. If you want to prevent TapJacking only on MainActivity, you can use the method described above.

Avijaygovinda commented 6 months ago

@ShuheiSuzuki-07 sorry to disturb you, i have requirements to restrict from tap jacking in my flutter app,

class MainActivity: FlutterActivity() {
    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)

        // Retrieve the root view of the activity
        val rootView = findViewById<View>(android.R.id.content).rootView

        // Set the filterTouchesWhenObscured property to true
        rootView.filterTouchesWhenObscured = true
    }
}

i used this code i think its not working as expected, bacause i checking with an app which is tapjacking window will appear on app, that window still apears when i added the above provided code, so please if you know any solutions provide with us.

@pichillilorenzo , @daanporon , @kamilpowalowski , if anyone have any solution, please share with us, it will helpful for me..

Thank you

ShuheiSuzuki-07 commented 5 months ago

@Avijaygovinda

Let me put the matter straight once and for all.

You put in the rootView.filterTouchesWhenObscured = true response. But tapjacking demo app has been activated. Am I correct in my understanding that this is the case?

If this understanding is correct, it is not a problem that tapjacking demo app is launched.

In case of a TapJacking attack, the tapjacking demo app will be launched, and furthermore, your app behind it can be manipulated. If the countermeasure is working, tapjacking demo app will be launched, but your app behind it will not be able to operate.

In other words, the TapJacking attack is transparent to the app behind the rogue app.

As a side note, the purpose of this issue is only to present the problem with this plugin. Please keep in mind that we don't all want things to go too far off-topic.