A set of techniques to protect against overlays on Android.
The Android overlay is a feature used by an app to appear on top of another app. Overlays are commonly used to display floating views such as the chat bubbles in Facebook Messenger or to display a temporary message or alert. They are often used to provide a more convenient user experience by allowing users to access certain features or information without leaving the app they are currently using. However, the benefits of this feature come with a big risk as Android overlays can, unfortunately, be used for malicious purposes.
The Android application project in this repo demonstrates some ways in which you can protect against overlay attacks:
- In Android 12+ (API 32+): using "setHideOverlayWindows(true)", Android's specific defense against overlay attacks
- In Android 2+ (API 9+): multiple ways to check whether a touch event has been obscured by an overlay.
For further details, refer to the companion blog post.
The application can be built from the command line or within Android Studio:
$ ./gradlew assembleReleaseThe application demonstrates techniques to protect against filter attacks that you can apply to your own application. To get the most out of the example application, the code is best read together with the companion blog post.
Contributions, issues and feature requests are welcome. Feel free to check the issues page if you would like to contribute.
Copyright (c) 2002-2023 Guardsquare NV. This project is released under the Apache 2 license.
