The CommonsBlog

Tapjacking, Defunct?

I and others railed about the tapjacking attack vector on Android in the past year or two. In fact, I had been told by the Android security team that tapjacking was a feature, not a bug.

It would appear Google had a change of heart.

Sam Lu wrote in a few days ago to report that the tapjacking demonstration code from The Busy Coder’s Guide to Advanced Android Development no longer worked as of Android 4.0.3. He even isolated some changes made to Android itself that would explain the altered beahvior. It definitely appears that Android 4.0.3+ devices are no longer vulnerable. A tapjacker can no longer intercept touch events, even using code that had worked on prior versions of Android.

Now, it is entirely possible that there’s another way to set up the tapjacking attack that avoids the block Google put into place, though it is not obvious how that might be accomplished — I tried some things with no success.

Many thanks to Google for fixing this security hole, and many thanks to Mr. Lu for pointing it out!

Need an Android programming guide for your development team? An Enterprise Warescription to The Busy Coder’s Guide to Android Development is available for teams of 10+ members. Contact Mark Murphy for details.