Configuration - User Interface: Avoid Tapjacking: Enable filterTouchesWhenObscured :: Recipe Details

Recipe Name:

Configuration - User Interface: Avoid Tapjacking: Enable filterTouchesWhenObscured

Description:

Setting filterTouchesWhenObscured to false allows adversaries to hijack users' taps.

Level:

warning

Language:

Tags:

security
mobile
framework specific
Android

Documentation

When a view component has the attribute android:filterTouchesWhenObscured="false", malicious applications can place invisible views above your layout in order to capture the users' taps.

This can lead to malicious applications gaining unwanted permissions or access to sensitive data.

Before

android:filterTouchesWhenObscured="false"

After

android:filterTouchesWhenObscured="true"

Resources:

Android Documentation - View

Recipe

id: scw:android:tapjacking-enable-filterTouchesWhenObscured
version: 10
metadata:
  name: 'Configuration - User Interface: Avoid Tapjacking: Enable filterTouchesWhenObscured'
  shortDescription: Setting filterTouchesWhenObscured to false allows adversaries to hijack users' taps.
  level: warning
  language: xml
  cweCategory: 1021
  enabled: true
  descriptionFile: Java/Mobile/Android SDK/Manifest/descriptions/LayoutbestpracticesenablefilterTouchesWhenObscured.html
  tags: security;mobile;framework specific;Android
search:
  element:
    attribute:
      name: android:filterTouchesWhenObscured
      label: filter
      value: "false"
    tagName:
      anyOf:
      - is: Button
      - is: WebView
      - is: ImageButton
      - is: ToggleButton
availableFixes:
- name: Set android:filterTouchesWhenObscured="true"
  actions:
  - set:
      to: '"true"'
      target: label:filter