| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by throwawayd708b 2271 days ago

This is probably a longer answer than you were looking for, but here's an example from my experience of a legitimate use for this API, which may give non-Android developers some insight into the unholy mess the Android platform is.

Android allows apps to draw transparent or translucent windows that can receive touch events and then pass them through to the window underneath. This has legitimate uses, such as using a tinted window to change the screen's color temperature. But it also has malicious uses, such as logging keystrokes or tricking users into changing settings when they think they're tapping targets in a game. This is called tapjacking and it's been a problem on Android for years.

On any reasonable platform, it would be the platform's responsibility to fix this bug. On Android, apps have to fend for themselves. So if you want to protect your app from tapjacking, you have to add code to every window you draw that checks whether the touch events it's receiving were forwarded by another app. But since there are legitimate uses for forwarding touch events (such as changing the color temperature), you can't just block forwarded events, otherwise your app will stop working whenever a color temperature app is active. The best you can do is ask the user whether they're using another app that might be drawing on top of your app, and if so, whether they your app to respond to touches when the other app's on top.

Clearly this a horrible question to present the user with, since many users won't be able to give an informed answer. But the alternative is that all the user's keystrokes get captured by malware, so what are you going to do?

To reduce the guesswork for the user, you can ask the system's package manager for a list of installed apps that have permission to draw on top of other apps. If you show the user this list when asking how they want your app to respond, maybe it will help the user to make an informed decision. It's still pushing responsibility for a platform bug onto the user, but at least the user has some information on which to base their decision.

The irony here is that it would clearly be better for privacy if this package manager method were removed - but it's needed as a workaround for an even worse privacy bug elsewhere in the API.

Welcome to Android development. Hope you packed a sense of humor.