mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-24 20:13:37 +00:00
101 lines
6.6 KiB
Markdown
101 lines
6.6 KiB
Markdown
|
# Tapjacking
|
|||
|
|
|||
|
{% hint style="success" %}
|
|||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|||
|
|
|||
|
<details>
|
|||
|
|
|||
|
<summary>Support HackTricks</summary>
|
|||
|
|
|||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|||
|
|
|||
|
</details>
|
|||
|
{% endhint %}
|
|||
|
|
|||
|
<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
|
|||
|
|
|||
|
{% embed url="https://websec.nl/" %}
|
|||
|
|
|||
|
|
|||
|
## **Basic Information**
|
|||
|
|
|||
|
**Tapjacking** is an attack where a **malicious** **application** is launched and **positions itself on top of a victim application**. Once it visibly obscures the victim app, its user interface is designed in such a way as to trick the user to interact with it, while it is passing the interaction along to the victim app.\
|
|||
|
In effect, it is **blinding the user from knowing they are actually performing actions on the victim app**.
|
|||
|
|
|||
|
### Detection
|
|||
|
|
|||
|
In order to detect apps vulnerable to this attacked you should search for **exported activities** in the android manifest (note that an activity with an intent-filter is automatically exported by default). Once you have found the exported activities, **check if they require any permission**. This is because the **malicious application will need that permission also**.
|
|||
|
|
|||
|
### Protection
|
|||
|
|
|||
|
#### Android 12 (API 31,32) and higher
|
|||
|
|
|||
|
[**According to this source**](https://www.geeksforgeeks.org/tapjacking-in-android/)**,** tapjacking attacks are automatically prevented by Android from Android 12 (API 31 & 30) and higher. So, even if the application is vulnerable you **won't be able to exploit it**.
|
|||
|
|
|||
|
#### `filterTouchesWhenObscured`
|
|||
|
|
|||
|
If **`android:filterTouchesWhenObscured`** is set to **`true`**, the `View` will not receive touches whenever view's window is obscured by another visible window.
|
|||
|
|
|||
|
#### **`setFilterTouchesWhenObscured`**
|
|||
|
|
|||
|
The attribute **`setFilterTouchesWhenObscured`** set to true can also prevent the exploitation of this vulnerability if the Android version is lower.\
|
|||
|
If set to **`true`**, for example, a button can be automatically **disabled if it is obscured**:
|
|||
|
|
|||
|
```xml
|
|||
|
<Button android:text="Button"
|
|||
|
android:id="@+id/button1"
|
|||
|
android:layout_width="wrap_content"
|
|||
|
android:layout_height="wrap_content"
|
|||
|
android:filterTouchesWhenObscured="true">
|
|||
|
</Button>
|
|||
|
```
|
|||
|
|
|||
|
## Exploitation
|
|||
|
|
|||
|
### Tapjacking-ExportedActivity
|
|||
|
|
|||
|
The most **recent Android application** performing a Tapjacking attack (+ invoking before an exported activity of the attacked application) can be found in: [**https://github.com/carlospolop/Tapjacking-ExportedActivity**](https://github.com/carlospolop/Tapjacking-ExportedActivity).
|
|||
|
|
|||
|
Follow the **README instructions to use it**.
|
|||
|
|
|||
|
### FloatingWindowApp
|
|||
|
|
|||
|
An example project implementing **FloatingWindowApp**, which can be used to put on top of other activities to perform a clickjacking attack, can be found in [**FloatingWindowApp**](https://github.com/aminography/FloatingWindowApp) (a bit old, good luck building the apk).
|
|||
|
|
|||
|
### Qark
|
|||
|
|
|||
|
{% hint style="danger" %}
|
|||
|
It looks like this project is now unmaintained and this functionality isn't properly working anymore
|
|||
|
{% endhint %}
|
|||
|
|
|||
|
You can use [**qark**](https://github.com/linkedin/qark) with the `--exploit-apk` --sdk-path `/Users/username/Library/Android/sdk` parameters to create a malicious application to test for possible **Tapjacking** vulnerabilities.\
|
|||
|
|
|||
|
|
|||
|
The mitigation is relatively simple as the developer may choose not to receive touch events when a view is covered by another. Using the [Android Developer’s Reference](https://developer.android.com/reference/android/view/View#security):
|
|||
|
|
|||
|
> Sometimes it is essential that an application be able to verify that an action is being performed with the full knowledge and consent of the user, such as granting a permission request, making a purchase or clicking on an advertisement. Unfortunately, a malicious application could try to spoof the user into performing these actions, unaware, by concealing the intended purpose of the view. As a remedy, the framework offers a touch filtering mechanism that can be used to improve the security of views that provide access to sensitive functionality.
|
|||
|
>
|
|||
|
> To enable touch filtering, call [`setFilterTouchesWhenObscured(boolean)`](https://developer.android.com/reference/android/view/View#setFilterTouchesWhenObscured%28boolean%29) or set the android:filterTouchesWhenObscured layout attribute to true. When enabled, the framework will discard touches that are received whenever the view's window is obscured by another visible window. As a result, the view will not receive touches whenever a toast, dialog or other window appears above the view's window.
|
|||
|
|
|||
|
<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
|
|||
|
|
|||
|
{% embed url="https://websec.nl/" %}
|
|||
|
|
|||
|
{% hint style="success" %}
|
|||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|||
|
|
|||
|
<details>
|
|||
|
|
|||
|
<summary>Support HackTricks</summary>
|
|||
|
|
|||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|||
|
|
|||
|
</details>
|
|||
|
{% endhint %}
|