[Android] Set filterTouchesWhenObscured on view to mitigate tapjacking

[MaKleSoft]

Not sure if this is within the scope of this plugin but another security concern in Android is 'Tapjacking'. An easy fix for this is to set the filterTouchesWhenObscured property on the view object. This could be done in the plugins initialise method, like so:

  @Override
  public void initialize(CordovaInterface cordova, CordovaWebView webView) {
    webView.getView().setFilterTouchesWhenObscured(true);
    super.initialize(cordova, webView);
    Activity activity = this.cordova.getActivity();
    activity.getWindow().addFlags(WindowManager.LayoutParams.FLAG_SECURE);
  }

I could create a separate plugin for this, but I think it fits pretty well in here and adding it to this plugin would be slightly more convenient. Happy to create a pull request if you think this make sense.

Let me know what you think!

[devgeeks]

Certainly looks on the surface like it's in the scope.

Send me a PR and I'll look into it some more. That'd be fantastic!

[devgeeks]

Hrm, is this only on GingerBread and below though?

[MaKleSoft]

What, the vulnerability? Nope. Had a pentester verify it on Android 6.0.1 recently.

[devgeeks]

Ah, the linked article said something about <= 2.3, must have just been an old article.

I'll take a look at the PR, thanks a lot.

[MaKleSoft]

No worries. Thanks for the prompt response!

[devgeeks]

Sorry I have taken so long to look at this, hoping to look at it asap and get it merged in.

[bensh]

Just some clarification, this used to only affect <=2.3 until Google made changes in Android. 2.4 - 6.0 was secure from this due to backend changes to the system. Until of course Google being Google reversed these changes on 6.0.1, hence the comment above that a pentester verified it.

<= 2.3 - Vulnerable 2.4 - 6.0 - Secure

= 6.0.1 - Vulnerable

[mr-rajeshrathod]

Hi All, do we have a plan to fix this issue as part of this plugin?