Android was built with high expectations, what with being based on the Linux OS model and all that. One would normally expect Android to be at least as secure as a typical Linux box, if not more. Alas, a secure Android remains a distant dream, even after the Marshmallow release. A case in point is an Android attack known as Tapjacking. A combination of “tap” and “jacking”, Tapjacking literally means someone hijacking what a user taps on his smartphone. It is one of the most vicious Android hacks known, as it doesn’t rely on any external tools or libraries, or even special permissions! To understand what Tapjacking is and how it works, let us begin with the basics.
Raise a toast
It all begins with the humble toast message. A cute little ephemeral thing that’s gone from your screen by the time you notice it. Its typical use is providing non-critical notifications to the user. The user isn’t expected to interact with it (because there’s no way he can) and there’s no way to make the toast message stay indefinitely.
Now let us put down the toast (no pun intended!) for a while and learn about another related concept: screen overlays.
The world of screen overlays
Screen overlays are those translucent layers of UI that you get sometimes. For instance, if you’re using Android 6 and are launching an app for the first time, you will be asked to confirm-grant all its critical permissions. The dialog box that opens at that time, the one that causes the rest of the screen to gray out while still allowing you to see what’s underneath, is a screen overlay.
Now, screen overlays are actually an incredibly cool feature. Remember the floating chat bubbles used by Facebook Messenger? Can you guess what makes them possible? Yes, it’s screen overlays!
So, what’s all this got to do with Tapjacking? Let’s dive in.
How screen overlays result into Tapjacking
Now, here’s the crux of the whole idea: when you’re in the process of granting a critical permission to an app, there should not be any screen overlay active. We say “should not” because the actual implementation of this security idea is messed up pretty badly.
When active, this security feature will not allow you to interact with the underlying UI if there’s an overlay active at that time.
Why is that? That’s because an active screen overlay can listen for taps and intercept any information being passed to the underlying activity, right from passwords to credit card information! A scary prospect, to say the least.
And how would an attacker create a sneaky overlay? This is where the concept of a toast returns. While we as developers have the image of a tiny, short-lived rectangle etched in our brains when toasts are mentioned, there’s nothing stopping a toast from being larger and include different forms of content like an image. And what about the lifetime of a toast? Here the clever attacker can make use of the inbuilt Android Timer; as soon as the timer runs out, the toast is redrawn on screen, giving the illusion of permanence. Done cleverly, a toast can be used for anything from listening for taps to presenting false password inputs to users.
It should be obvious by now why Tapjacking is a near-impossible exploit to stop: it just doesn’t do anything intrusive.
How to prevent Android Tapjacking
If you look closely, Tapjacking is really simple to prevent. As long as your Android doesn’t allow activities to gather input while an overlay is active, all is fine in app land. The reality, unfortunately, is grim. This security setting was disabled by default in Android 4.0.3 and before, making those versions the most infamous in Android history.
The gap was subsequently plugged and everyone was happy with the security model of Android 6. However, for reasons unknown, the Google developers again decided to turn off this setting in version 6.0.1, resulting in several cases of compromised user data. One reason seems to be that Google thought users wanted convenience more than the annoyance of setting permissions all the time, but the price for negligence has been too high.
So what can you do?
If you’re a user, simply hop over to your Settings area and set the section deals with overlay screens. It should be called either “Apps that can appear on top” or apps that “Draw over other apps”. If you’re still not sure, a simple Google search for your phone make will reveal the setting.
If you’re a developer, please relate with the plight of users and add the following to your checklist of pre-release: ensure that the setting filterTouchesWhenObscured is set to true, or that the method onFilterTouchEventForSecurity() is implemented in your app.
Tapjacking is not rocket science
To conclude, we’d like to say that understanding and preventing Tapjacking is not rocket science at all. It’s a very simple exploit that relies on laziness on part of Google and/or app developers, and lack of awareness among users. However, now you know better.
Build great, secure Android apps effortlessly.