Guard against tapjacking

2025-12-03 02:52:17 +00:00 · 2020-09-17 17:06:39 +10:00
parent 540a657965
commit 6482f16445
10 changed files with 105 additions and 25 deletions
--- a/src/org/thoughtcrime/securesms/conversation/ConversationItem.java
+++ b/src/org/thoughtcrime/securesms/conversation/ConversationItem.java
@@ -89,6 +89,7 @@ import org.thoughtcrime.securesms.linkpreview.LinkPreviewUtil;
 import org.thoughtcrime.securesms.logging.Log;
 import org.thoughtcrime.securesms.loki.utilities.MentionUtilities;
 import org.thoughtcrime.securesms.loki.views.ProfilePictureView;
+import org.thoughtcrime.securesms.loki.views.TapJackingProofLinearLayout;
 import org.thoughtcrime.securesms.mms.GlideRequests;
 import org.thoughtcrime.securesms.mms.ImageSlide;
 import org.thoughtcrime.securesms.mms.PartAuthority;
@@ -129,7 +130,7 @@ import network.loki.messenger.R;
 *
 */

-public class ConversationItem extends LinearLayout
+public class ConversationItem extends TapJackingProofLinearLayout
    implements RecipientModifiedListener, BindableConversationItem
 {
  private static final String TAG = ConversationItem.class.getSimpleName();
--- a/src/org/thoughtcrime/securesms/loki/activities/CreatePrivateChatActivity.kt
+++ b/src/org/thoughtcrime/securesms/loki/activities/CreatePrivateChatActivity.kt
@@ -134,10 +134,10 @@ class EnterPublicKeyFragment : Fragment() {
    }

    private fun copyPublicKey() {
-        val clipboard = activity!!.getSystemService(Context.CLIPBOARD_SERVICE) as ClipboardManager
+        val clipboard = requireActivity().getSystemService(Context.CLIPBOARD_SERVICE) as ClipboardManager
        val clip = ClipData.newPlainText("Session ID", hexEncodedPublicKey)
        clipboard.setPrimaryClip(clip)
-        Toast.makeText(context!!, R.string.copied_to_clipboard, Toast.LENGTH_SHORT).show()
+        Toast.makeText(requireContext(), R.string.copied_to_clipboard, Toast.LENGTH_SHORT).show()
    }

    private fun sharePublicKey() {
@@ -149,8 +149,8 @@ class EnterPublicKeyFragment : Fragment() {
    }

    private fun createPrivateChatIfPossible() {
-        val hexEncodedPublicKey = publicKeyEditText.text.trim().toString()
-        (activity!! as CreatePrivateChatActivity).createPrivateChatIfPossible(hexEncodedPublicKey)
+        val hexEncodedPublicKey = publicKeyEditText.text?.trim().toString() ?: ""
+        (requireActivity() as CreatePrivateChatActivity).createPrivateChatIfPossible(hexEncodedPublicKey)
    }
 }
 // endregion
--- a/src/org/thoughtcrime/securesms/loki/views/TapJacking.kt
+++ b/src/org/thoughtcrime/securesms/loki/views/TapJacking.kt
@@ -0,0 +1,79 @@
+package org.thoughtcrime.securesms.loki.views
+
+import android.content.Context
+import android.util.AttributeSet
+import android.view.MotionEvent
+import android.widget.Button
+import android.widget.LinearLayout
+import android.widget.Toast
+
+private fun isPotentialTapJack(event: MotionEvent): Boolean {
+    if (event.flags and MotionEvent.FLAG_WINDOW_IS_OBSCURED == MotionEvent.FLAG_WINDOW_IS_OBSCURED) { return true }
+    if (android.os.Build.VERSION.SDK_INT >= android.os.Build.VERSION_CODES.Q &&
+        (event.flags and MotionEvent.FLAG_WINDOW_IS_PARTIALLY_OBSCURED == MotionEvent.FLAG_WINDOW_IS_PARTIALLY_OBSCURED)) { return true }
+    return false
+}
+
+open class TapJackingProofButton : androidx.appcompat.widget.AppCompatButton {
+
+    constructor(context: Context) : super(context)
+    constructor(context: Context, attrs: AttributeSet) : super(context, attrs)
+    constructor(context: Context, attrs: AttributeSet, defStyleAttr: Int) : super(context, attrs, defStyleAttr)
+
+    override fun onFilterTouchEventForSecurity(event: MotionEvent): Boolean {
+        if (isPotentialTapJack(event)) {
+            Toast.makeText(context, "Interaction temporarily disabled for security purposes.", Toast.LENGTH_LONG).show()
+            return false
+        } else {
+            return super.onFilterTouchEventForSecurity(event)
+        }
+    }
+}
+
+open class TapJackingProofEditText : androidx.appcompat.widget.AppCompatEditText {
+
+    constructor(context: Context) : super(context)
+    constructor(context: Context, attrs: AttributeSet) : super(context, attrs)
+    constructor(context: Context, attrs: AttributeSet, defStyleAttr: Int) : super(context, attrs, defStyleAttr)
+
+    override fun onFilterTouchEventForSecurity(event: MotionEvent): Boolean {
+        if (isPotentialTapJack(event)) {
+            Toast.makeText(context, "Interaction temporarily disabled for security purposes.", Toast.LENGTH_LONG).show()
+            return false
+        } else {
+            return super.onFilterTouchEventForSecurity(event)
+        }
+    }
+}
+
+open class TapJackingProofTextView : androidx.appcompat.widget.AppCompatTextView {
+
+    constructor(context: Context) : super(context)
+    constructor(context: Context, attrs: AttributeSet) : super(context, attrs)
+    constructor(context: Context, attrs: AttributeSet, defStyleAttr: Int) : super(context, attrs, defStyleAttr)
+
+    override fun onFilterTouchEventForSecurity(event: MotionEvent): Boolean {
+        if (isPotentialTapJack(event)) {
+            Toast.makeText(context, "Interaction temporarily disabled for security purposes.", Toast.LENGTH_LONG).show()
+            return false
+        } else {
+            return super.onFilterTouchEventForSecurity(event)
+        }
+    }
+}
+
+open class TapJackingProofLinearLayout : LinearLayout {
+
+    constructor(context: Context) : super(context)
+    constructor(context: Context, attrs: AttributeSet) : super(context, attrs)
+    constructor(context: Context, attrs: AttributeSet, defStyleAttr: Int) : super(context, attrs, defStyleAttr)
+
+    override fun onFilterTouchEventForSecurity(event: MotionEvent): Boolean {
+        if (isPotentialTapJack(event)) {
+            Toast.makeText(context, "Interaction temporarily disabled for security purposes.", Toast.LENGTH_LONG).show()
+            return false
+        } else {
+            return super.onFilterTouchEventForSecurity(event)
+        }
+    }
+}