What is Tapjacking in Android Devices and how to prevent it?

What is Tapjacking in Android Devices and how to prevent it?

Reading Time: 2 minutes

Tapjacking is a form of user interface (UI) redress attack in Android devices where a malicious application tricks the user into performing unintended actions by overlaying a transparent or partially transparent interface on top of a legitimate application. This attack manipulates the user’s taps to trigger harmful actions without their knowledge.

Tapjacking, a combination of “tap” and “hijacking”, means just that. It is an attack where the attacker hijacks the users taps and tricks him into doing something he did not intend.

For example, a malicious app might overlay a “Click here to win a prize” button on top of a system permission dialog, causing the user to unknowingly grant permissions to the malicious app.

---

How Tapjacking Works

1. Overlay: The malicious app displays a transparent UI over a legitimate app or system dialog.
2. Deception: The user interacts with the visible UI, unaware of the hidden actions behind it.
3. Execution: The user’s tap on the overlay triggers the unintended action in the legitimate app, such as granting permissions or performing unauthorized actions.

---

Risks of Tapjacking

• Unauthorized access to sensitive permissions (e.g., camera, microphone).
• Unintended purchases or financial transactions.
• Data leakage or installation of additional malicious software.

---

Prevention Measures

For Developers:

1. Use FLAG_SECURE:
   • Add WindowManager.LayoutParams.FLAG_SECURE to sensitive activities or views in your app to prevent them from being overlaid by other apps.
   • Example:
     • Java
       • getWindow().setFlags(WindowManager.LayoutParams.FLAG_SECURE, WindowManager.LayoutParams.FLAG_SECURE);

2. Verify Touch Events:
   • Implement touch validation to ensure that user actions originate from legitimate interactions.
   • Example: Verify that the touch event comes from a visible and interactive UI.
3. Restrict System Alert Windows:
   • Limit the use of SYSTEM_ALERT_WINDOW permission in your apps, as this is often exploited for overlays.
4. Enforce Permissions Carefully:
   • Use runtime permissions and provide clear explanations for why permissions are needed, ensuring users are aware of potential risks.

---

For Users:

1. Avoid Untrusted Apps:
   • Download apps only from trusted sources like the Google Play Store.
   • Check reviews and permissions before installing any app.
2. Keep Android Updated:
   • Use the latest version of Android as Google regularly patches vulnerabilities.
3. Monitor Permissions:
   • Regularly review app permissions and remove unnecessary permissions.
4. Enable Play Protect:
   • Use Google Play Protect to scan and block potentially harmful apps.
5. Be Cautious of Overlays:
   • If you notice suspicious overlays or apps behaving unusually, uninstall them immediately.

How to prevent tapjacking?

If you’re a user, simply hop over to your settings area and set the section deals with overlay screens. It should be called either “Apps that can appear on top” or apps that “Draw over other apps”. If you’re still not sure, a simple Google search for your phone make will reveal the setting.

By understanding the risks and implementing these measures, you can significantly reduce the chances of being affected by tapjacking on Android devices.