Tapjacking Protection
Tapjacking is a security issue that occurs when the app screen is completely or partially obscured by an overlay window. The user can be tricked into thinking that they are interacting with the overlay. However, their input (a tap) can instead perform actions in the underlying app.
Malwarelytics for Android tries to prevent tapjacking. This is done by preventing click events when a part of the app screen is obscured by an overlay and at least one app that can create such overlays is deemed “problematic”.
Tapjacking protection sensitivity is configurable in the SDK.
Limitations
Identifying Tapjacking Culprit
Android APIs prevent an app from determining specifically which other app is creating an overlay; it is only possible to obtain a list of apps that are capable of doing so. Utilizing data obtained by Anti-Malware feature tapjacking protection can identify which of these apps are indeed “problematic”.
Tapjacking protection sensitivity is ignored when Anti-Malware feature is disabled in AntivirusConfig
. In such case the SDK cannot distinguish which apps are problematic and all apps capable of creating overlays are marked as “problematic”. In this case it’s recommended not to use tapjacking protection because of a significant risk of false positives.
Protecting Dialogs
Tapjacking protection doesn’t work on dialogs because the contents of a dialog receive taps through an overlay regardless of the way the dialog is created.
Configuration
This feature can be configured during the Malwarelytics initialization phase:
val raspConfig = RaspConfig.Builder()
.blockTapjacking(Boolean)
.ignoreTapjackingSystemApps(Boolean)
.blockTapjackingSensitivity(ThreatIndex)
// configuration of other RASP features
.build()
Method | Description |
---|---|
blockTapjacking(Boolean) |
indicates whether tapjacking should be blocked. Defaults to true . However, tapjacking is not blocked unless a “problematic” app is installed on the device. An app is deemed “problematic” when it meets sensitivity criteria defined by blockTapjackingSensitivity . |
ignoreTapjackingSystemApps(Boolean) |
indicates whether tapjacking protection should ignore system apps in the checks. Defaults to false . If set to true all system apps will be ignored and tapjacking will get blocked only if a non-system “problematic” app is present. |
blockTapjackingSensitivity(ThreatIndex) |
defines tapjacking protection sensitivity. Defaults to ThreatIndex.HIGHLY_DANGEROUS . |
Usage
After initialization, the tapjacking protection feature can be accessed via RaspManager
. This can be used to register an observer or to trigger a manual tapjacking detection check.
Registering an Observer
Tapjacking detection can trigger a certain action. To achieve that, an observer needs to be configured and registered.
Observer configuration:
val raspObserver = object : RaspObserver {
override fun onTapjackingDetected(tapjackingDetection: TapjackingDetection) {
// handle tapjacking detection
}
// handle detection of other RASP features
}
The observer can be registered in RaspManager
. When it is no longer needed, it can be unregistered again.
raspManager.registerRaspObserver(raspObserver)
raspManager.unregisterRaspObserver(raspObserver)
Triggering a Manual Check
Tapjacking detection check can be triggered manually in RaspManager
. Two methods are available. isBadTapjackingCapableAppPresent()
indicates whether any apps deemed “problematic” are installed on the device. getTapjackingDetection()
provides more details about tapjacking protection configuration. The returned data depend on the configuration - both on the sensitivity and on ignoring system apps.
val isBadTapjackingCapableAppPresent = raspManager.isBadTapjackingCapableAppPresent()
val tapjackingDetection = raspManager.getTapjackingDetection()
Tapjacking protection feature is applied to app’s activities. Details about behaviour and APIs relevant to activity protection can be found in Activity protection.
Troubleshooting for Users
The SDK tries to simplify a potential troubleshooting process as much as possible. The app developer is provided with a list of “problematic” apps triggering the protection. Furthermore, the SDK offers a utility method that opens the system settings responsible for granting/removing the system overlay permission for installed apps:
RaspUtilities.openSystemOverlaySettings(Context)
The device user can then adjust the settings to make the app respond to clicks again.
More information on general RASP feature configuration and usage can be found in this overview.