Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(android)(9_3_X): add "tapjacking" prevention features #11962

Merged
merged 4 commits into from Sep 28, 2020
Merged

feat(android)(9_3_X): add "tapjacking" prevention features #11962

merged 4 commits into from Sep 28, 2020

Conversation

jquick-axway
Copy link
Contributor

@jquick-axway jquick-axway commented Aug 26, 2020
edited

JIRA:
https://jira.appcelerator.org/browse/TIMOB-28080

Note:
Tapjacking is an Android exploit where a malicious app can display a translucent system overlay on top of other apps used to intercept touches or to trick the end-user to tapping on the overlay.

Summary:

  • Added boolean property "filterTouchesWhenObscured" to all Ti.UI.View derived types.
  • Added event "touchfiltered" event to Ti.UI.Button.
    • Only fired "filterTouchesWhenObscured" is true and touch was obscured by overlay.
    • Intended to be used to display an alert explaining why button click was blocked.
  • Added boolean property "obscured" to all touch related events.
    • Will only be true if "filterTouchesWhenObscured" is false.

Test:

  1. Install the "AppcOverlay.apk" attached to TIMOB-28080 on Android.
    adb install -r <PathToApk>
  2. Build and run the below on Android.
  3. Tap on "Button with Filter" and verify a "click" alert appears.
  4. Verify that you see the below in the log.
[INFO]  @@@ touchstart obscured: false
[INFO]  @@@ touchmove obscured: false
[INFO]  @@@ touchmove obscured: false
[INFO]  @@@ touchend obscured: false
[INFO]  @@@ click obscured: false
[INFO]  @@@ singletap obscured: false
  1. Launch the "AppcOverlay" app.
  2. Tap on the "Show Fullscreen Overlay" button.
  3. If "Display over other apps" window appears, then switch on, tap back, and then tap on "Fullscreen" button again.
  4. A red translucent window should now fill the screen and on top of all other apps.
  5. Go back to the below test app.
  6. Tap on the "Button with Filter" button.
  7. Verify a "touchfiltered" alert appears.
  8. Tap on the "Button without Filter" button.
  9. Verify a "click" alert appears.
  10. Verify that you see the below in the log.
[INFO]  @@@ touchstart obscured: true
[INFO]  @@@ touchmove obscured: true
[INFO]  @@@ touchend obscured: true
[INFO]  @@@ click obscured: true
[INFO]  @@@ singletap obscured: true

app.js

function logTouchEvent(event) {
	Ti.API.info("@@@ " + event.type + " obscured: " + event.obscured);
}
function addTouchHandlersTo(view) {
	view.addEventListener("click", function() {
		alert("click");
	});
	view.addEventListener("touchfiltered", function() {
		alert("touchfiltered\n(Overlay detected.)");
	});
	view.addEventListener("click", logTouchEvent);
	view.addEventListener("dblclick", logTouchEvent);
	view.addEventListener("singletap", logTouchEvent);
	view.addEventListener("doubletap", logTouchEvent);
	view.addEventListener("longclick", logTouchEvent);
	view.addEventListener("touchstart", logTouchEvent);
	view.addEventListener("touchmove", logTouchEvent);
	view.addEventListener("touchend", logTouchEvent);
	view.addEventListener("touchcancel", logTouchEvent);
}

var window = Ti.UI.createWindow({ title: "Tap Jacking Test" });
var button1 = Ti.UI.createButton({
	title: "Button with Filter",
	top: "25%",
	filterTouchesWhenObscured: true,
})
addTouchHandlersTo(button1);
window.add(button1);
var button2 = Ti.UI.createButton({
	title: "Button without Filter",
	bottom: "25%",
	filterTouchesWhenObscured: false,
})
addTouchHandlersTo(button2);
window.add(button2);
window.open();

@jquick-axway
feat(android): add tapjacking prevention features
5d0b28d 
- Added boolean property "filterTouchesWhenObscured" to all Ti.UI.View dervied types.
- Added event "touchfiltered" event to Ti.UI.Button.
- Added boolean property "obscured" to all touch related events.
  * Will only be true if "filterTouchesWhenObscured" is false.

Fixes TIMOB-28080
@jquick-axway jquick-axway added this to the 9.3.0 milestone Aug 26, 2020
@build build requested review from a team August 26, 2020 02:10
@build build added the docs label Aug 26, 2020
@build
Copy link
Contributor

build commented Aug 26, 2020
edited

Fails
🚫 Tests have failed, see below for more information.
Messages
📖

💾 Here's the generated SDK zipfile.
📖 ✊ The commits in this PR match our conventions! Feel free to Rebase and Merge this PR when ready.
📖 ❌ 2 tests have failed There are 2 tests failing and 717 skipped out of 7993 total tests.

Tests:

ClassnameNameTimeError
ios.ipad.Titanium.UI.ImageViewimage error event (14.0)5.002
Error: timeout of 5000ms exceeded
file:///Users/build/Library/Developer/CoreSimulator/Devices/8397E161-2778-43CE-AB1B-BDA17BDD4023/data/Containers/Bundle/Application/F7D0FA74-E04F-4533-A67C-AC2E39561054/mocha.app/ti-mocha.js:4326:27
ios.ipad.Titanium.UI.iOS.CollisionBehavior.exampleworks (14.0)10.002
Error: timeout of 10000ms exceeded
file:///Users/build/Library/Developer/CoreSimulator/Devices/8397E161-2778-43CE-AB1B-BDA17BDD4023/data/Containers/Bundle/Application/F7D0FA74-E04F-4533-A67C-AC2E39561054/mocha.app/ti-mocha.js:4326:27

Generated by 🚫 dangerJS against b6335c1

garymathews
garymathews approved these changes Aug 26, 2020
View reviewed changes
Copy link
Contributor

@garymathews garymathews left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CR: PASS

Minor comment about test case.

@jquick-axway jquick-axway added the backport master when applied, PRs with this label will get an auto-generated backport to master branch on merge label Sep 21, 2020
@ssjsamir ssjsamir self-requested a review September 28, 2020 13:57
ssjsamir
ssjsamir approved these changes Sep 28, 2020
View reviewed changes
Copy link
Contributor

@ssjsamir ssjsamir left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FR Passed, tested using the example in the description.

Test Environment

MacOS Big Sur: 11.0 Beta 7
Xcode: 12.0 
Java Version: 1.8.0_242
Android NDK: 21.3.6528147
Node.js: 12.18.1
""NPM":"5.0.0","CLI":"8.1.1""
Pixel XL (10.0)

@sgtcoolguy sgtcoolguy merged commit 307a890 into tidev:9_3_X Sep 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@garymathews garymathews garymathews approved these changes

@ssjsamir ssjsamir ssjsamir approved these changes

Assignees
No one assigned
Labels
android backport master when applied, PRs with this label will get an auto-generated backport to master branch on merge docs feature in-qe-testing 🕵
Projects
None yet
Milestone
9.3.0
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@jquick-axway @build @garymathews @ssjsamir @sgtcoolguy