mobsf.mobsfscan.best_practices.tapjacking.android_detect_tapjacking

profile photo of MobSFMobSF
Author
unknown
Download Count*
License

This app does not have capabilities to prevent tapjacking attacks. An attacker can hijack the user's taps and tricks him into performing some critical operations that he did not intend to.

Run Locally

Run in CI

Defintion

rules:
  - id: android_detect_tapjacking
    patterns:
      - pattern-either:
          - pattern: |
              $F.setFilterTouchesWhenObscured(true);
    message: This app does not have capabilities to prevent tapjacking attacks. An
      attacker can hijack the user's taps and tricks him into performing some
      critical operations that he did not intend to.
    languages:
      - java
    severity: INFO
    metadata:
      cwe: cwe-200
      owasp-mobile: m1
      masvs: platform-9
      reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-for-overlay-attacks-mstg-platform-9
      license: LGPL-3.0-or-later
      vulnerability_class:
        - Other