Tapjacking is a security problem that occurs when the app’s screen is completely or partially obscured by an overlay window. The overlay window can be created in a way that allows the user to click through it into the app below. This way the user can be tricked into clicking in one app while (s)he thinks (s)he’s clicking in a different app (the overlay window).
Malwarelytics for Android tries to prevent tapjacking by disabling click events when the app screen is at least partially obscured by another app’s window and at least one of the apps capable of creating such overlays is deemed “problematic”.
The sensitivity of the tapjacking protection can be defined in the SDK configuration.
Limitation of Tapjacking Protection
Limitations of Android APIs restrict an apps capabilities to uncover the culprit app that’s creating the overlay. Android APIs allow only to get the list of apps that are capable of doing so.
Tapjacking Protection on Dialogs
Tapjacking protection doesn’t work on dialogs.
No matter the way a dialog is created, the contents of the dialog receive taps through an overlay.
Troubleshooting for Users
When the protection is on the app is not going to react to user clicks unless at least one of these things happen:
- No app is actively creating an overlay window above the app.
- All “problematic” apps capable of creating overlays are uninstalled.
The SDK tries to simplify potential troubleshooting process as much as possible. The app developer is provided with the list of “problematic” apps triggering the protection and means to easily navigate the user into the system settings to turn off overlays.
The SDK offers utility method that opens the system settings responsible for granting/removing system overlay permission for the installed apps. To open the settings call:
User of the device can then adjust the settings to make the app respond to clicks again.