I wanted to open a picture sent by a friend in the Sketch app in order to highlight something and send it back. The app didn't have permission to access the file system. A popup appeared. I clicked "Allow", then, "Screen overlay detected" appeared and it just wouldn't let me through.
Now, I've read that I can disable screen overlay, add the permissions, and then re-enable it, but I don't feel like going through all my apps to see what permissions they need, neither I feel like disabling & enabling this every time I need to allow something.
Is there any reason why Google did this? I guess there must be a serious security concern, since this is very user unfriendly, but I have no idea what that could be.
See the pictures in the following question for examples of the problem
Answer
This is to prevent 'Tapjacking'.
It works in a surprisingly simple way – you download an application and open it, which triggers the installation of a second, this time malicious, application. Then, when you press a button on the seemingly innocent application, you are actually clicking a button on the malicious application that is hidden within it. So, as its name suggests, the trap is in the tap.
So, imagine this scenario. You have downloaded an application and on the main screen there is a button that says “Start Game”. You click it to begin but, unbeknownst to you, this has triggered the downloading of the dangerous malware. On the next screen you continue clicking away, oblivious to the dangers, and without realizing you have accepted the terms and conditions of the dangerous malware that has hidden itself on your cellphone.
So when Android detects an app is appearing as an overlay it prevents the user from granting permissions or clicking on install when sideloading an app (and possibly more scenarios).
An app developer can opt into this behaviour if the user is doing something that needs to be secure:
Sometimes it is essential that an application be able to verify that an action is being performed with the full knowledge and consent of the user, such as granting a permission request, making a purchase or clicking on an advertisement. Unfortunately, a malicious application could try to spoof the user into performing these actions, unaware, by concealing the intended purpose of the view. As a remedy, the framework offers a touch filtering mechanism that can be used to improve the security of views that provide access to sensitive functionality.
No comments:
Post a Comment