ScreenOverlay Permissions: Avoiding Common Pitfalls and Security Risks
Overview
Screen overlays let apps draw UI above other apps (chat heads, floating widgets). They enable useful UX patterns but are a high-risk vector for tapjacking, phishing, and privilege escalation if misused.
Primary risks
- Tapjacking / UI redress: overlays trick users into tapping hidden/underlying controls.
- Phishing: full-screen overlays can impersonate other apps (login screens, confirmation dialogs).
- Privilege escalation / unwanted installs: overlays can hide permission text or trick users into granting dangerous permissions (SYSTEM_ALERT_WINDOW, install from unknown sources).
- Accessibility abuse & input capture: malicious overlays combined with accessibility services can exfiltrate data or inject input.
- Background toasts / toast-burst attacks: custom toasts used to present overlays unexpectedly (older Android versions).
Platform changes & constraints (practical notes)
- Android 6+ requires explicit “Draw over other apps” flows (ACTION_MANAGE_OVERLAY_PERMISSION).
- Android 12–13+ added stronger restrictions (blocking background custom toasts, overlay warnings).
- Android ⁄31+ API offers Window.setHideOverlayWindows(true) to hide non-system overlays for a window.
- Newer Android docs recommend filterTouchesWhenObscured and other view flags (see mitigations).
Developer mitigations (implement these by default)
- Avoid requesting SYSTEM_ALERT_WINDOW unless essential. Re-evaluate design alternatives (in-app overlays, notifications).
- Block interactions when obscured: set android:filterTouchesWhenObscured=“true” on sensitive Views or call View.setFilterTouchesWhenObscured(true). Optionally override onFilterTouchEventForSecurity to reject MotionEvent.FLAG_WINDOW_IS_OBSCURED.
- Use setHideOverlayWindows(true) on windows where available (API 31+) to prevent non-system overlays from showing.
- Protect confirmation and auth screens: treat login, MFA, payment, and permission dialogs as sensitive — disable or defer input if obscured/partially obscured.
- Don’t export activities unnecessarily (reduce “activity sandwich” risk).
- Restrict sensitive accessibility exposure: mark sensitive views with accessibilityDataSensitive where applicable (newer Android flags).
- Reject input on suspicious events: detect MotionEvent flags for partial obscuration (FLAG_WINDOW_IS_PARTIALLY_OBSCURED) and ignore or re-prompt.
- Use multi-factor auth & out-of-band verification for critical flows as a fallback against overlay-based phishing.
- Explicit, clear permission prompts: in-app rationale explaining why overlay is needed; avoid any UI that mimics system dialogs.
- Target modern SDKs & keep dependencies updated to inherit platform mitigations.
Testing & QA
- Simulate overlay attacks (full/partial occlusion, toast bursts, activity sandwich) during security testing.
- Verify behavior across Android API levels (esp. <31 and ≥31).
- Include automated tests that assert sensitive views ignore obscured touches.
User guidance (short)
- Ask users to grant “draw over apps” only when clearly necessary and explain why.
- Recommend installing apps only from trusted sources and checking app permission details.
Quick checklist for release
- Remove unnecessary SYSTEM_ALERT_WINDOW usage
- Apply filterTouchesWhenObscured on all sensitive views
- Call setHideOverlayWindows(true) where supported
- Mark sensitive views for accessibility protection
- Test overlay scenarios across API levels
References
- Android Developer guidance on Tapjacking and mitigations (filterTouchesWhenObscured, setHideOverlayWindows)
- OWASP/MASTG overlay attack guidance and mitigations
- Vendor analyses on overlay malware and SYSTEM_ALERT_WINDOW abuse
If you want, I can produce ready-to-copy code snippets for the key mitigations (filterTouchesWhenObscured, onFilterTouchEventForSecurity, setHideOverlayWindows).
Leave a Reply