hacktricks/mobile-pentesting/android-app-pentesting/tapjacking.md

90 lines
6.3 KiB
Markdown
Raw Normal View History

# Tapjacking
<details>
2024-01-03 10:43:38 +00:00
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2024-01-03 10:43:38 +00:00
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2024-01-03 10:43:38 +00:00
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
2024-02-09 00:36:13 +00:00
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
2024-01-03 10:43:38 +00:00
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
## **Basic Information**
**Tapjacking** is an attack where a **malicious** **application** is launched and **positions itself on top of a victim application**. Once it visibly obscures the victim app, its user interface is designed in such a way as to trick the user to interact with it, while it is passing the interaction along to the victim app.\
In effect, it is **blinding the user from knowing they are actually performing actions on the victim app**.
### Detection
In order to detect apps vulnerable to this attacked you should search for **exported activities** in the android manifest (note that an activity with an intent-filter is automatically exported by default). Once you have found the exported activities, **check if they require any permission**. This is because the **malicious application will need that permission also**.
### Protection
#### Android 12 (API 31,32) and higher
[**According to this source**](https://www.geeksforgeeks.org/tapjacking-in-android/)**,** tapjacking attacks are automatically prevented by Android from Android 12 (API 31 & 30) and higher. So, even if the application is vulnerable you **won't be able to exploit it**.
#### `filterTouchesWhenObscured`
If **`android:filterTouchesWhenObscured`** is set to **`true`**, the `View` will not receive touches whenever view's window is obscured by another visible window.
#### **`setFilterTouchesWhenObscured`**
The attribute **`setFilterTouchesWhenObscured`** set to true can also prevent the exploitation of this vulnerability if the Android version is lower.\
If set to **`true`**, for example, a button can be automatically **disabled if it is obscured**:
2024-02-08 03:08:28 +00:00
```xml
<Button android:text="Button"
android:id="@+id/button1"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:filterTouchesWhenObscured="true">
</Button>
```
## Exploitation
### Tapjacking-ExportedActivity
2024-02-08 03:08:28 +00:00
The most **recent Android application** performing a Tapjacking attack (+ invoking before an exported activity of the attacked application) can be found in: [**https://github.com/carlospolop/Tapjacking-ExportedActivity**](https://github.com/carlospolop/Tapjacking-ExportedActivity).
Follow the **README instructions to use it**.
### FloatingWindowApp
An example project implementing **FloatingWindowApp**, which can be used to put on top of other activities to perform a clickjacking attack, can be fund in [**FloatingWindowApp**](https://github.com/aminography/FloatingWindowApp) (a bit old, good luck building the apk).
### Qark
{% hint style="danger" %}
It looks like this project is now unmaintained and this functionality isn't properly working anymore
{% endhint %}
You can use [**qark**](https://github.com/linkedin/qark) with the `--exploit-apk` --sdk-path `/Users/username/Library/Android/sdk` parameters to create a malicious application to test for possible **Tapjacking** vulnerabilities.\
The mitigation is relatively simple as the developer may choose not to receive touch events when a view is covered by another. Using the [Android Developers Reference](https://developer.android.com/reference/android/view/View#security):
> Sometimes it is essential that an application be able to verify that an action is being performed with the full knowledge and consent of the user, such as granting a permission request, making a purchase or clicking on an advertisement. Unfortunately, a malicious application could try to spoof the user into performing these actions, unaware, by concealing the intended purpose of the view. As a remedy, the framework offers a touch filtering mechanism that can be used to improve the security of views that provide access to sensitive functionality.
>
> To enable touch filtering, call [`setFilterTouchesWhenObscured(boolean)`](https://developer.android.com/reference/android/view/View#setFilterTouchesWhenObscured%28boolean%29) or set the android:filterTouchesWhenObscured layout attribute to true. When enabled, the framework will discard touches that are received whenever the view's window is obscured by another visible window. As a result, the view will not receive touches whenever a toast, dialog or other window appears above the view's window.
<details>
2024-01-03 10:43:38 +00:00
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2024-01-03 10:43:38 +00:00
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2024-01-03 10:43:38 +00:00
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
2024-02-09 00:36:13 +00:00
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
2024-01-03 10:43:38 +00:00
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>