How can we ensure that target app is truly resistant to overlay attacks?
結論 Conclusion
We should conduct both static and dynamic testing on the target app. In this case, I found that the static test results from the reversed app code indicate that it should properly defend against overlay attacks. However, from the dynamic test results, I discovered that the target app is not truly resistant to overlay attacks. This indicates that we should perform both static and dynamic testing on the same target feature.
問題 Question
How can we ensure that target app is truly resistant to overlay attacks?
解說 Explanation
This case involves using an Android 8.0.0 (API 26) mobile device to test a target app. Any experiments related to the Android version and API level are significant, and we should keep that in mind. For Android 9 or higher, please check the link below.
MASTG-TEST-0035: Testing for Overlay Attacks — OWASP Mobile Application Security
#StaticTest
I searched for the specific pattern “SYSTEM_ALERT_WINDOW” to examine the target app. The target app uses “permissionx_system_alert_window > 显示在其他应用的上层” to ensure that it can prevent overlay attacks and keep the target app always on the top layer.
#DynamicTest
I used an overlay attack app called “tapjacking.apk” from the link below.
https://github.com/FSecureLABS/tapjacking-poc
Open and start the overlay attack.
Returning to our target app, I found that it was still vulnerable to overlay attacks from tapjacking.apk. This result reminds me that we should never fully trust static code; it’s essential to conduct dynamic testing to verify its behavior.
有任何認知不正確的部分歡迎留言或至LinkedIn與小弟討論,感謝。
If there are any inaccuracies in my understanding, I welcome a discussion to correct them. Thank you.
備註:本文章及本部落格內容僅供教學參考使用,請勿侵犯著作權,切勿使用於違法意圖及手段。
Note: This article and the content within this blog are for educational reference purposes only. Please refrain from infringing upon copyrights and avoid using them for illegal intentions or means.
