Cloak and dagger – a new kind of attacks for Android

Note that Android O now clearly shows a warning when an app is rendering an overlay - probably the reason why the issues were marked wontfix.<p>As usual, getting the fix on the older versions is a whole different story.<p>The other Google failing here is the whole permission thing - since 6.0 Android apps need to ask for permissions for drawing over other app. However, for some really baffling reason Google still lets us publish APKs that target API below 6.0, which automatically triggers fallback mode which grants permissions at install time. Why I have no idea.

This seems like a refinement of &quot;tap-jacking&quot;, which is a pretty well-known UI redressing attack for Android apps, and works in a way that is somewhat similar to &quot;clickjacking&quot; on web pages --- an invisible frame is rendered on top of the application that captures inputs (as opposed to an opaque frame that obscures the legitimate application and tricks you into interacting with it).<p>The big limitation on these attacks is that you have to install a malicious application <i>and then</i> trick people into getting to a situation where the application can interact with a specific target; that&#x27;s something that should be straightforward for app stores to screen for.

From the section marked &quot;Responsible Disclosure&quot;:<p>&gt; Current — All the attacks discussed by this work are still practical, even with latest version of Android (Android 7.1.2, with security patches of May 5th installed).<p>Honest question - does HN feel this is actually responsible disclosure? A large number of Android devices seem to be vulnerable to the issue, and the whitepaper includes exploit details. Is the intent to force Google to pay attention to the issue?

The impact of this vulnerability would not have been as bad if only android let the user disable background apps easily and reliably.

Android should totally disable draw-on-top while security-sensitive UI elements are visible like password fields and permission dialogs. Seems like an easy fix.

As cynical and unoriginal as I may sound, I could only expect such an exploit for android, and not iOS.