Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop

These two attacks are enough to lure the user to enable the accessibility service! -We just need to hijacking three clicks -No guessing is involved -The clicks do not need to be consecutive Context-aware clickjacking + Context hiding -Not only it is not useful… -...but #1: misleading documentation Back to the "obscured flag"... FLAG_WINDOW_IS_OBSCURED docs "This flag indicates that the window that received this motion event is partly or wholly obscured by another visible window above it." FLAG_WINDOW_IS_OBSCURED docs /** * This flag indicates that the window that received this motion event is partly * or wholly obscured by another visible window above it. This flag is set to true * even if the event did not directly pass through the obscured area. * A security sensitive application can check this flag to identify situations in which * a malicious application may have covered up part of its content for the purpose * of misleading the user or hijacking touches. An appropriate response might be * to drop the suspect touches or to take additional precautions to confirm the user's * actual intent. * * Unlike FLAG_WINDOW_IS_OBSCURED, this is actually true. * @hide / public static final int FLAG_WINDOW_IS_PARTIALLY_OBSCURED = 0x2; FLAG_WINDOW_IS_OBSCURED docs /* * This flag indicates that the window that received this motion event is partly * or wholly obscured by another visible window above it. This flag is set to true * even if the event did not directly pass through the obscured area. * A security sensitive application can check this flag to identify situations in which * a malicious application may have covered up part of its content for the purpose * of misleading the user or hijacking touches. An appropriate response might be * to drop the suspect touches or to take additional precautions to confirm the user's * actual intent. * * Unlike FLAG_WINDOW_IS_OBSCURED, this is actually true.