ScreenOverlay

ScreenOverlay Permissions: Avoiding Common Pitfalls and Security Risks

Overview

Screen overlays let apps draw UI above other apps (chat heads, floating widgets). They enable useful UX patterns but are a high-risk vector for tapjacking, phishing, and privilege escalation if misused.

Primary risks

• Tapjacking / UI redress: overlays trick users into tapping hidden/underlying controls.
• Phishing: full-screen overlays can impersonate other apps (login screens, confirmation dialogs).
• Privilege escalation / unwanted installs: overlays can hide permission text or trick users into granting dangerous permissions (SYSTEM_ALERT_WINDOW, install from unknown sources).
• Accessibility abuse & input capture: malicious overlays combined with accessibility services can exfiltrate data or inject input.
• Background toasts / toast-burst attacks: custom toasts used to present overlays unexpectedly (older Android versions).

Platform changes & constraints (practical notes)

• Android 6+ requires explicit “Draw over other apps” flows (ACTION_MANAGE_OVERLAY_PERMISSION).
• Android 12–13+ added stronger restrictions (blocking background custom toasts, overlay warnings).
• Android ⁄₃₁+ API offers Window.setHideOverlayWindows(true) to hide non-system overlays for a window.
• Newer Android docs recommend filterTouchesWhenObscured and other view flags (see mitigations).

Developer mitigations (implement these by default)

1. Avoid requesting SYSTEM_ALERT_WINDOW unless essential. Re-evaluate design alternatives (in-app overlays, notifications).
2. Block interactions when obscured: set android:filterTouchesWhenObscured=“true” on sensitive Views or call View.setFilterTouchesWhenObscured(true). Optionally override onFilterTouchEventForSecurity to reject MotionEvent.FLAG_WINDOW_IS_OBSCURED.
3. Use setHideOverlayWindows(true) on windows where available (API 31+) to prevent non-system overlays from showing.
4. Protect confirmation and auth screens: treat login, MFA, payment, and permission dialogs as sensitive — disable or defer input if obscured/partially obscured.
5. Don’t export activities unnecessarily (reduce “activity sandwich” risk).
6. Restrict sensitive accessibility exposure: mark sensitive views with accessibilityDataSensitive where applicable (newer Android flags).
7. Reject input on suspicious events: detect MotionEvent flags for partial obscuration (FLAG_WINDOW_IS_PARTIALLY_OBSCURED) and ignore or re-prompt.
8. Use multi-factor auth & out-of-band verification for critical flows as a fallback against overlay-based phishing.
9. Explicit, clear permission prompts: in-app rationale explaining why overlay is needed; avoid any UI that mimics system dialogs.
10. Target modern SDKs & keep dependencies updated to inherit platform mitigations.

Testing & QA

• Simulate overlay attacks (full/partial occlusion, toast bursts, activity sandwich) during security testing.
• Verify behavior across Android API levels (esp. <31 and ≥31).
• Include automated tests that assert sensitive views ignore obscured touches.

User guidance (short)

• Ask users to grant “draw over apps” only when clearly necessary and explain why.
• Recommend installing apps only from trusted sources and checking app permission details.

Quick checklist for release

• Remove unnecessary SYSTEM_ALERT_WINDOW usage
• Apply filterTouchesWhenObscured on all sensitive views
• Call setHideOverlayWindows(true) where supported
• Mark sensitive views for accessibility protection
• Test overlay scenarios across API levels

References

• Android Developer guidance on Tapjacking and mitigations (filterTouchesWhenObscured, setHideOverlayWindows)
• OWASP/MASTG overlay attack guidance and mitigations
• Vendor analyses on overlay malware and SYSTEM_ALERT_WINDOW abuse

If you want, I can produce ready-to-copy code snippets for the key mitigations (filterTouchesWhenObscured, onFilterTouchEventForSecurity, setHideOverlayWindows).