SYSTEM_ALERT_WINDOW: Now More Hidden Than Ever
SYSTEM_ALERT_WINDOW has been a long-standing concern of mine, due to
its relationship to tapjacking attacks. And, due to some changes that
Google has made, now apps can get that permission, without user knowledge.
SYSTEM_ALERT_WINDOW is the permission that allows apps to draw over top
of other apps from the background. It’s what powers things like
the Facebook “chatheads”, for example.
For a long time, SYSTEM_ALERT_WINDOW was dangerous. The user would
be informed, at install time, that the app was requesting the ability to
draw over other apps. In Android 6.0, it was upgraded to
signature|system|appop, requiring the user to go into Settings and
manually grant this right to apps requesting it, if your targetSdkVersion
is 23 or higher — you could not
request it even using the new runtime permission system.
However, a few weeks ago, this Stack Overflow question appeared,
pointing out that apps like Evernote were getting SYSTEM_ALERT_WINDOW
without telling the user.
Mattia Maestrini responded
that Android 6.0.1 further modified SYSTEM_ALERT_WINDOW. Apps
with targetSdkVersion of 23 or higher that request SYSTEM_ALERT_WINDOW
get it without telling the user… if the user installs
the app from the Play Store. If the user installs the app by other
means, the previous Android 6.0 rules apply, and the user has to
manually grant the right to draw over other apps.
Users of Android 6.0.1+ device should go into Settings > Apps > (gear icon) > “Draw over other apps” and see what all shows up. The answer may surprise you. You may want to revoke that right for some apps.
I tossed together a “SAW Monitor” sample app
that watches app installs and upgrades and raises a Notification
if the app in question has requested SYSTEM_ALERT_WINDOW and is
not on a whitelist. I’ll keep that app on my
own device, so that at least I find out when some app decides to
obtain this permission behind my back, with Google’s approval.
Of course, where possible, I get my apps from
F-Droid, rather than the
Play Store.
