Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 2dbe94c0 authored by Sterling Huber's avatar Sterling Huber Committed by Vasyl Gello
Browse files

RESTRICT AUTOMERGE Make toasts non-clickable 

Since enforcement was only on client-side, in Toast class, an app could
use reflection (or other means) to make the Toast clickable. This is a
security vulnerability since it allows tapjacking, that is, intercept touch
events and do stuff like steal PINs and passwords.

This CL brings the enforcement to the system by applying flag
FLAG_NOT_TOUCHABLE.

Test: atest CtsWindowManagetDeviceTestCases:ToastTest
Test: Construct app that uses reflection to remove flag FLAG_NOT_TOUCHABLE and
      log click events. Then:
      1) Observe click events are logged without this CL.
      2) Observer click events are not logged with this CL.
Bug: 128674520

(cherry picked from commit 6bf18c39)
Change-Id: Ica346c853dcb9a1e494f7143ba1c38d22c0003d0
parent de08dc76
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment