Recipe Name:
Configuration - User Interface: Avoid Tapjacking: Add filterTouchesWhenObscured
Description:
Not setting filterTouchesWhenObscured to true allows adversaries to hijack users' taps.
Level:
warning
Language:
  • xml
Tags:
  • security
  • framework specific
  • mobile
  • Android
Documentation

When a view component has the attribute android:filterTouchesWhenObscured="false", malicious applications can place invisible views above your layout in order to capture the users' taps.

This can lead to malicious applications gaining unwanted permissions or access to sensitive data.

Before
android:filterTouchesWhenObscured="false"
After
android:filterTouchesWhenObscured="true"
Resources:
Recipe
id: scw:android:tapjacking-add-filterTouchesWhenObscured
version: 10
metadata:
  name: 'Configuration - User Interface: Avoid Tapjacking: Add filterTouchesWhenObscured'
  shortDescription: Not setting filterTouchesWhenObscured to true allows adversaries to hijack users' taps.
  level: warning
  language: xml
  cweCategory: 1021
  enabled: true
  descriptionFile: Java/Mobile/Android SDK/Manifest/descriptions/LayoutbestpracticesenablefilterTouchesWhenObscured.html
  tags: security;framework specific;mobile;Android
search:
  element:
    tagName:
      anyOf:
      - is: Button
      - is: WebView
      - is: ImageButton
      - is: ToggleButton
    without:
      attribute:
        name: android:filterTouchesWhenObscured
availableFixes:
- name: Set filterTouchesWhenObscured to "true"
  actions:
  - add:
      attribute:
        name: android:filterTouchesWhenObscured
        value: '"true"'