hacktricks/mobile-pentesting/android-app-pentesting/tapjacking.md

# Tapjacking

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>

<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>

{% embed url="https://websec.nl/" %}


## **Maelezo Msingi**

**Tapjacking** ni shambulio ambapo **programu mbaya** inazinduliwa na **kujipanga juu ya programu ya mwathiriwa**. Mara tu inapofunika programu ya mwathiriwa, kiolesura chake cha mtumiaji kimeundwa kwa njia ambayo inadanganya mtumiaji kuingiliana nacho, wakati inapitisha uingiliano kwa programu ya mwathiriwa.\
Kimsingi, inamfanya mtumiaji **ashindwe kujua kwamba wanafanya vitendo kwenye programu ya mwathiriwa**.

### Uchunguzi

Ili kugundua programu zinazoweza kushambuliwa na hili, unapaswa kutafuta **shughuli zilizotolewa** kwenye mwongozo wa android (kumbuka kwamba shughuli na intent-filter zinazotolewa kwa chaguo-msingi). Mara baada ya kupata shughuli zilizotolewa, **angalia kama zinahitaji idhini yoyote**. Hii ni kwa sababu **programu mbaya itahitaji idhini hiyo pia**.

### Kinga

#### Android 12 (API 31,32) na zaidi

[**Kulingana na chanzo hiki**](https://www.geeksforgeeks.org/tapjacking-in-android/)**,** mashambulio ya tapjacking yanazuiliwa moja kwa moja na Android kutoka Android 12 (API 31 & 30) na zaidi. Kwa hivyo, hata kama programu inaweza kuwa na kasoro hutaweza **kuitumia**.

#### `filterTouchesWhenObscured`

Ikiwa **`android:filterTouchesWhenObscured`** imewekwa kuwa **`kweli`**, `View` haitapokea kugusa wakati dirisha la maoni linapofunikwa na dirisha lingine linaloonekana.

#### **`setFilterTouchesWhenObscured`**

Sifa **`setFilterTouchesWhenObscured`** ikiwekwa kuwa kweli inaweza pia kuzuia kutumia kasoro hii ikiwa toleo la Android ni la chini.\
Ikiwekwa kuwa **`kweli`**, kwa mfano, kitufe kinaweza **kulemazwa moja kwa moja ikiwa kimefunikwa**:
```xml
<Button android:text="Button"
android:id="@+id/button1"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:filterTouchesWhenObscured="true">
</Button>
```
## Utekaji

### Tapjacking-ExportedActivity

**Programu ya hivi karibuni ya Android** inayotekeleza shambulio la Tapjacking (+ kuita kabla ya shughuli iliyotolewa ya programu iliyoshambuliwa) inaweza kupatikana hapa: [**https://github.com/carlospolop/Tapjacking-ExportedActivity**](https://github.com/carlospolop/Tapjacking-ExportedActivity).

Fuata **maagizo ya README** ili kuitumia.

### FloatingWindowApp

Mradi wa mfano unaoendeleza **FloatingWindowApp**, ambao unaweza kutumika kuweka juu ya shughuli zingine kutekeleza shambulio la clickjacking, unaweza kupatikana hapa [**FloatingWindowApp**](https://github.com/aminography/FloatingWindowApp) (kidogo umri, bahati njema kujenga apk).

### Qark

{% hint style="danger" %}
Inaonekana kama mradi huu sasa hauendelezwi tena na hii kazi haifanyi kazi ipasavyo tena
{% endhint %}

Unaweza kutumia [**qark**](https://github.com/linkedin/qark) na vigezo `--exploit-apk` --sdk-path `/Users/username/Library/Android/sdk` ili kuunda programu yenye nia mbaya kufanya majaribio ya uwezekano wa mapungufu ya **Tapjacking**.

Kupunguza hatari ni rahisi kwa sababu mwandishi wa programu anaweza kuchagua kutokupokea matukio ya kugusa wakati maoni yanafunikwa na mengine. Kutumia [Marejeleo ya Developer wa Android](https://developer.android.com/reference/android/view/View#security):

> Mara kwa mara ni muhimu kwamba programu iweze kuthibitisha kwamba hatua inafanywa kwa idhini kamili ya mtumiaji, kama vile kutoa ombi la idhini, kufanya ununuzi au bonyeza tangazo. Kwa bahati mbaya, programu inayodhuru inaweza kujaribu kudanganya mtumiaji kufanya hatua hizi, bila kujua, kwa kuficha lengo la maoni. Kama tiba, mfumo hutoa mbinu ya kuchuja kugusa ambayo inaweza kutumika kuboresha usalama wa maoni yanayotoa ufikiaji wa kazi nyeti.
>
> Ili kuwezesha kuchuja kugusa, piga simu [`setFilterTouchesWhenObscured(boolean)`](https://developer.android.com/reference/android/view/View#setFilterTouchesWhenObscured%28boolean%29) au weka sifa ya mpangilio ya android:filterTouchesWhenObscured kuwa kweli. Ikiwa imeanzishwa, mfumo utatupa kugusa zinazopokelewa wakati wowote dirisha la maoni linapositishwa na dirisha lingine linaloonekana. Matokeo yake, maoni hayatapokea kugusa wakati wowote toast, dirisha au dirisha lingine linaonekana juu ya dirisha la maoni.

<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>

{% embed url="https://websec.nl/" %}

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
GITBOOK-4052: change request with no subject merged in GitBook 2023-08-25 11:36:13 +00:00			`# Tapjacking`

			`<details>`

Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 23:01:11 +00:00			`<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>`
GITBOOK-4052: change request with no subject merged in GitBook 2023-08-25 11:36:13 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Njia nyingine za kusaidia HackTricks:`
arte 2024-01-03 10:43:38 +00:00
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-05-02 15:14:31 +00:00			`* Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia [MIPANGO YA USAJILI](https://github.com/sponsors/carlospolop)!`
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 23:01:11 +00:00			`* Pata [bidhaa rasmi za PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Gundua [Familia ya PEASS](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [NFTs](https://opensea.io/collection/the-peass-family) ya kipekee`
			`* Jiunge na 💬 [Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au kikundi cha [telegram](https://t.me/peass) au tufuate kwenye Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks_live).`
			`* Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos za github.`
GITBOOK-4052: change request with no subject merged in GitBook 2023-08-25 11:36:13 +00:00
			`</details>`

Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-05-02 15:14:31 +00:00			`<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>`
GITBOOK-4052: change request with no subject merged in GitBook 2023-08-25 11:36:13 +00:00
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 23:01:11 +00:00			`{% embed url="https://websec.nl/" %}`


			`## Maelezo Msingi`

Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-05-02 15:14:31 +00:00			`Tapjacking ni shambulio ambapo programu mbaya inazinduliwa na kujipanga juu ya programu ya mwathiriwa. Mara tu inapofunika programu ya mwathiriwa, kiolesura chake cha mtumiaji kimeundwa kwa njia ambayo inadanganya mtumiaji kuingiliana nacho, wakati inapitisha uingiliano kwa programu ya mwathiriwa.\`
			`Kimsingi, inamfanya mtumiaji ashindwe kujua kwamba wanafanya vitendo kwenye programu ya mwathiriwa.`
GITBOOK-4052: change request with no subject merged in GitBook 2023-08-25 11:36:13 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`### Uchunguzi`
GITBOOK-4052: change request with no subject merged in GitBook 2023-08-25 11:36:13 +00:00
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-05-02 15:14:31 +00:00			`Ili kugundua programu zinazoweza kushambuliwa na hili, unapaswa kutafuta shughuli zilizotolewa kwenye mwongozo wa android (kumbuka kwamba shughuli na intent-filter zinazotolewa kwa chaguo-msingi). Mara baada ya kupata shughuli zilizotolewa, angalia kama zinahitaji idhini yoyote. Hii ni kwa sababu programu mbaya itahitaji idhini hiyo pia.`
GITBOOK-4052: change request with no subject merged in GitBook 2023-08-25 11:36:13 +00:00
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 23:01:11 +00:00			`### Kinga`
GITBOOK-4052: change request with no subject merged in GitBook 2023-08-25 11:36:13 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`#### Android 12 (API 31,32) na zaidi`
GITBOOK-4052: change request with no subject merged in GitBook 2023-08-25 11:36:13 +00:00
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-05-02 15:14:31 +00:00			`[Kulingana na chanzo hiki](https://www.geeksforgeeks.org/tapjacking-in-android/), mashambulio ya tapjacking yanazuiliwa moja kwa moja na Android kutoka Android 12 (API 31 & 30) na zaidi. Kwa hivyo, hata kama programu inaweza kuwa na kasoro hutaweza kuitumia.`
GITBOOK-4052: change request with no subject merged in GitBook 2023-08-25 11:36:13 +00:00
GITBOOK-4054: change request with no subject merged in GitBook 2023-08-25 13:51:29 +00:00			#### `filterTouchesWhenObscured`

Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 23:01:11 +00:00			Ikiwa `android:filterTouchesWhenObscured` imewekwa kuwa `kweli`, `View` haitapokea kugusa wakati dirisha la maoni linapofunikwa na dirisha lingine linaloonekana.
GITBOOK-4054: change request with no subject merged in GitBook 2023-08-25 13:51:29 +00:00
GITBOOK-4052: change request with no subject merged in GitBook 2023-08-25 11:36:13 +00:00			#### `setFilterTouchesWhenObscured`

Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-05-02 15:14:31 +00:00			Sifa `setFilterTouchesWhenObscured` ikiwekwa kuwa kweli inaweza pia kuzuia kutumia kasoro hii ikiwa toleo la Android ni la chini.\
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 23:01:11 +00:00			Ikiwekwa kuwa `kweli`, kwa mfano, kitufe kinaweza kulemazwa moja kwa moja ikiwa kimefunikwa:
a 2024-02-08 03:08:28 +00:00			```xml
GITBOOK-4052: change request with no subject merged in GitBook 2023-08-25 11:36:13 +00:00			`<Button android:text="Button"`
			`android:id="@+id/button1"`
			`android:layout_width="wrap_content"`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`android:layout_height="wrap_content"`
GITBOOK-4052: change request with no subject merged in GitBook 2023-08-25 11:36:13 +00:00			`android:filterTouchesWhenObscured="true">`
			`</Button>`
			```
Translated to Swahili 2024-02-11 02:13:58 +00:00			`## Utekaji`
GITBOOK-4052: change request with no subject merged in GitBook 2023-08-25 11:36:13 +00:00
			`### Tapjacking-ExportedActivity`

Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 23:01:11 +00:00			`Programu ya hivi karibuni ya Android inayotekeleza shambulio la Tapjacking (+ kuita kabla ya shughuli iliyotolewa ya programu iliyoshambuliwa) inaweza kupatikana hapa: [https://github.com/carlospolop/Tapjacking-ExportedActivity](https://github.com/carlospolop/Tapjacking-ExportedActivity).`
GITBOOK-4052: change request with no subject merged in GitBook 2023-08-25 11:36:13 +00:00
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-05-02 15:14:31 +00:00			`Fuata maagizo ya README ili kuitumia.`
GITBOOK-4052: change request with no subject merged in GitBook 2023-08-25 11:36:13 +00:00
			`### FloatingWindowApp`

Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 23:01:11 +00:00			`Mradi wa mfano unaoendeleza FloatingWindowApp, ambao unaweza kutumika kuweka juu ya shughuli zingine kutekeleza shambulio la clickjacking, unaweza kupatikana hapa [FloatingWindowApp](https://github.com/aminography/FloatingWindowApp) (kidogo umri, bahati njema kujenga apk).`
GITBOOK-4052: change request with no subject merged in GitBook 2023-08-25 11:36:13 +00:00
			`### Qark`

			`{% hint style="danger" %}`
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 23:01:11 +00:00			`Inaonekana kama mradi huu sasa hauendelezwi tena na hii kazi haifanyi kazi ipasavyo tena`
GITBOOK-4052: change request with no subject merged in GitBook 2023-08-25 11:36:13 +00:00			`{% endhint %}`

Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-05-02 15:14:31 +00:00			Unaweza kutumia [qark](https://github.com/linkedin/qark) na vigezo `--exploit-apk` --sdk-path `/Users/username/Library/Android/sdk` ili kuunda programu yenye nia mbaya kufanya majaribio ya uwezekano wa mapungufu ya Tapjacking.
GITBOOK-4052: change request with no subject merged in GitBook 2023-08-25 11:36:13 +00:00
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 23:01:11 +00:00			`Kupunguza hatari ni rahisi kwa sababu mwandishi wa programu anaweza kuchagua kutokupokea matukio ya kugusa wakati maoni yanafunikwa na mengine. Kutumia [Marejeleo ya Developer wa Android](https://developer.android.com/reference/android/view/View#security):`
GITBOOK-4052: change request with no subject merged in GitBook 2023-08-25 11:36:13 +00:00
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-05-02 15:14:31 +00:00			`> Mara kwa mara ni muhimu kwamba programu iweze kuthibitisha kwamba hatua inafanywa kwa idhini kamili ya mtumiaji, kama vile kutoa ombi la idhini, kufanya ununuzi au bonyeza tangazo. Kwa bahati mbaya, programu inayodhuru inaweza kujaribu kudanganya mtumiaji kufanya hatua hizi, bila kujua, kwa kuficha lengo la maoni. Kama tiba, mfumo hutoa mbinu ya kuchuja kugusa ambayo inaweza kutumika kuboresha usalama wa maoni yanayotoa ufikiaji wa kazi nyeti.`
GITBOOK-4052: change request with no subject merged in GitBook 2023-08-25 11:36:13 +00:00			`>`
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-05-02 15:14:31 +00:00			> Ili kuwezesha kuchuja kugusa, piga simu [`setFilterTouchesWhenObscured(boolean)`](https://developer.android.com/reference/android/view/View#setFilterTouchesWhenObscured%28boolean%29) au weka sifa ya mpangilio ya android:filterTouchesWhenObscured kuwa kweli. Ikiwa imeanzishwa, mfumo utatupa kugusa zinazopokelewa wakati wowote dirisha la maoni linapositishwa na dirisha lingine linaloonekana. Matokeo yake, maoni hayatapokea kugusa wakati wowote toast, dirisha au dirisha lingine linaonekana juu ya dirisha la maoni.
GITBOOK-4052: change request with no subject merged in GitBook 2023-08-25 11:36:13 +00:00
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-05-02 15:14:31 +00:00			`<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>`
GITBOOK-4052: change request with no subject merged in GitBook 2023-08-25 11:36:13 +00:00
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-04-07 23:01:11 +00:00			`{% embed url="https://websec.nl/" %}`
Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/ 2024-05-02 15:14:31 +00:00
			`<details>`

			`<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`

			`Njia nyingine za kusaidia HackTricks:`

			`* Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia [MIPANGO YA KUJIUNGA](https://github.com/sponsors/carlospolop)!`
			`* Pata [bidhaa rasmi za PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Gundua [Familia ya PEASS](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [NFTs](https://opensea.io/collection/the-peass-family) ya kipekee`
			`* Jiunge na 💬 [Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au kikundi cha [telegram](https://t.me/peass) au tufuate kwenye Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks_live).`
			`* Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`

			`</details>`