I and others railed about the tapjacking attack vector on Android in the past year or two. In fact, I had been told by the Android security team that tapjacking was a feature, not a bug.
It would appear Google had a change of heart.
Sam Lu wrote in a few days ago to report that the tapjacking demonstration code from The Busy Coder’s Guide to Advanced Android Development no longer worked as of Android 4.0.3. He even isolated some changes made to Android itself that would explain the altered beahvior. It definitely appears that Android 4.0.3+ devices are no longer vulnerable. A tapjacker can no longer intercept touch events, even using code that had worked on prior versions of Android.
Now, it is entirely possible that there’s another way to set up the tapjacking attack that avoids the block Google put into place, though it is not obvious how that might be accomplished — I tried some things with no success.
Many thanks to Google for fixing this security hole, and many thanks to Mr. Lu for pointing it out!
Learn second-generation Android app development — with Kotlin and the Android Jetpack — through CommonsWare’s Android app development training!