by: Davide Danelon, Founder & CEO [Twitter,Linkedin] date: 22/06/2018

Recently I had to perform a couple of mobile application penetration tests against hybrid applications developed with Apache Cordova.

Both the applications were subject to Tapjacking attacks. Since the Tapjacking is nowadays a well know issue I thought there was already an easy solution for hybrid applications developed with Cordova (eg. via plugin), but unfortunately, I was wrong.

So, I decided to implement a solution to provide it to our customers and to anyone who needs it, through the release of a free and open source Cordova plugin.

What is Tapjacking?

I don’t want to write another article about tapjacking, so just few words for those who have never heard of it: the word is the combination of “tap” and “jacking” and, as the term suggests, it means someone hijacking what a user taps on his smartphone. It is a sort of mobile version of the “Clickjacking” for web applications.

For example, using social engineering an attacker can develop a malicious app that exploits tapjacking and tricks the victim into doing dispositive actions on vulnerable applications.

Put simply, to develop a malicious app the attacker leverages a popup window functionality provided by Android, called “toast”, that could be totally customized.

The peculiarity of this element is that any taps on it will be passed on the underlying element. So, the malicious app can:

  • create a “toast” that covers the whole screen
  • launch, using an intent (another Android functionality), the target application.

Now, if the victim taps on the popup, that might seem like a real app, the touch is passed to the target app.

In the following screenshot it is possible to see an example in which the target app (devloped with Cordova) is covered by some elements that are created by the “malicious” app using a customized toast.

In the preceding screenshot, despite the hand logo is above the button, if the user taps on it the touch is passed to the target application, and the action associated with the button is performed (the “ACTION DONE!” div is showed, but obviously it may be a dispositive critical action).

By the way, the “malicious” app used here does not require any permission and the test was done on Android 6.0.1 version.

The Solution

Developers of native applications can easily prevent this attack ensuring that the setting “filterTouchesWhenObscured” is set to true, or that the method “onFilterTouchEventForSecurity()” is implemented.

For Cordova applications, it is necessary to protect the main WebView, in order to ensure that Android will discard touches when the WebView is obscured by another visible window.

So I developed the “TapjackingProtectionPlugin”, a free and open source plugin, that can be integrated inside any Cordova application to ensure protection against Tapjacking.

It does not require any configuration, you have only to add it with the following command:

cordova plugin add cordova-plugin-tapjackingprotection

and in few seconds your application is protected!

Note: the ability to exploit this vulnerability may vary depending on the Android version but, since it is difficult to know on which devices our app will be installed, it is always advisable to ensure that the issue is prevented regardless of the exploitability.

Be sure to develop secure apps. BeDefended.

Thanks for reading.