CODEWITHSUNDEEP
androidsecurity
Hourglasser
Hourglasser

Reputation: 785

FLAG_WINDOW_IS_OBSCURED not working on newer android

I have been implementing tapjacking defence in android app, but I found out that flag FLAG_WINDOW_IS_OBSCURED is set on android 7.0, but not on android 10.0 while window is obscured by another application.

Do you have any idea why is happens?

I tested it on both emulators and physical devices. Testing application for overlay was twilight. Official documentation feels useless.

I found this comment:

The FLAG_WINDOW_IS_OBSCURED only works if the overlay relays touch events, AND if the touched coordinates is actually obscured

which could suggest, that in newer android versions it must also obscure touch coordinates, but I could not find any app that obscures touched coordinates to test it.

In order to have centralized detection of overlayed apps I used:

@Override
    public boolean dispatchTouchEvent(MotionEvent event) {
        final boolean obscuredTouch = (event.getFlags() & MotionEvent.FLAG_WINDOW_IS_OBSCURED) != 0;
        if(obscuredTouch) return false;

        return super.dispatchTouchEvent(event);
    }

in BaseActivity which all other activities extends.

Android tag android:filterTouchesWhenObscured for views uses the same flag FLAG_WINDOW_IS_OBSCURED underneath I suppose (correct me if I am wrong):

Upvotes: 7

Views: 3056

Answers (2)

Sander Smets
Sander Smets

Reputation: 31

I noticed that FLAG_WINDOW_IS_OBSCURED no longer triggers on API 31 (Android 12) or higher. Instead, it seems to use FLAG_WINDOW_IS_PARTIALLY_OBSCURED for everything. It also appears that the setFilterTouchesWhenObscured and onFilterTouchEventForSecurity methods seem to be affected by this as well.

Looking up FLAG_WINDOW_IS_OBSCURED gave no info about this behavior. So I tested this on an emulator using API 29, 30, 31, and 33, and I can indeed confirm the flag is no longer 'working' starting at API 31.

Fortunately, API 31+ introduces a new method named setHideOverlayWindows that can be used to hide any non-system overlay on the selected view. You will also need to use the HIDE_OVERLAY_WINDOWS permission.

Upvotes: 3

Thirumalvalavan
Thirumalvalavan

Reputation: 2768

From Android 10 & onwards, we have to use FLAG_WINDOW_IS_PARTIALLY_OBSCURED.

Upvotes: 2

Related Questions