Application does not prevent overlay attacks where malicious apps place UI overlays to trick users.

Impact:
User actions may be hijacked, leading to unauthorized transactions or data entry.

CWE-1021|3.2|Low|Tapjacking is a type of attack where an attacker overlays a transparent or opaque layer on top of a legitimate application interface to deceive users into tapping on hidden, malicious elements. This can lead to unintended actions being performed without the user's knowledge or consent.|Unauthorized Actions: Users may unknowingly perform actions on the overlay, leading to unintended consequences, such as granting permissions or making unwanted purchases.
Privacy Violation: Sensitive information may be exposed if the attacker manipulates the UI to trick users into interacting with elements that reveal confidential data.
Malicious Operations: Tapjacking can be used to trick users into initiating operations that benefit the attacker, such as social media posts, fund transfers, or other malicious activities.|Use Secure UI Components: Design the application's UI to use secure components that resist overlay attacks.
Implement Anti-Tapjacking Techniques: Use techniques such as View.SYSTEM_UI_FLAG_FULLSCREEN, View.setFilterTouchesWhenObscured(), or WindowManager.LayoutParams.FLAG_SECURE to prevent overlays.
User Education: Educate users about the potential risks of interacting with unexpected or suspicious UI elements.
Authentication for Sensitive Actions: Implement authentication mechanisms for sensitive operations to mitigate the risk of unauthorized actions initiated through Tapjacking.
Regular Security Audits: Conduct regular security audits to identify and address potential Tapjacking vulnerabilities in the application.|https://developer.android.com/privacy-and-security/risks/tapjacking|Step 1: During security assessment, we uploaded the APK file to a tapjacking application to check for vulnerability. It was found to be susceptible to tapjacking.|