Create new MASTG Test, Best Practice and Demo for marking UI views in the app as containing sensitive data

[cpholguera]

Android 16 provides a new, powerful defense in a single line of code: accessibilityDataSensitive. This flag lets you explicitly mark views in your app as containing sensitive data and block malicious apps from seeing or performing interactions on it. If you already use setFilterTouchesWhenObscured(true) to protect your app from tapjacking, your views are automatically treated as sensitive data for accessibility for an instant additional layer of defense with no extra work.

Android 16 and accessibilityDataSensitive: Starting with Android 16 (API level 16) and higher, developers can use the accessibilityDataSensitive flag to further protect sensitive data from malicious accessibility services that are not legitimate accessibility tools. When this flag is set on sensitive views (e.g., login screens, transaction confirmation screens), it restricts apps with accessibility permission from reading or interacting with the sensitive data unless they are declared as an isA11yTool=true in their manifest. This provides a more robust, system-level protection against eavesdropping and click injection attacks that are characteristic of partial occlusion scenarios. Developers can often implicitly enable accessibilityDataSensitive by specifying android:filterTouchesWhenObscured="true" in their layout files.

More info:

https://android-developers.googleblog.com/2025/12/enhancing-android-security-stop-malware.html

https://developer.android.com/privacy-and-security/risks/tapjacking#mitigations

[prasunsrivastav123-lang]

Hi @cpholguera ,

Based on the description, I propose to add MASTG content documenting the Android 16 accessibilityDataSensitive protection for sensitive UI views.

The contribution would include:

• A new MASTG test describing how to verify that sensitive UI elements (e.g., login or transaction confirmation screens) are protected using accessibilityDataSensitive and/or filterTouchesWhenObscured
• A best-practices section explaining how these flags help mitigate tapjacking, click injection, and malicious accessibility service abuse, and how they act as defense-in-depth rather than a standalone control
• A small Android demo showing a sensitive screen marked with accessibilityDataSensitive, including the implicit protection provided by android:filterTouchesWhenObscured="true"

The goal is to clearly document how Android 16 provides system-level protection against unauthorized accessibility access to sensitive UI data, aligned with existing Android security guidance.

Please let me know if this approach looks good. Thanks!

[cpholguera]

Sounds great, thank you!

[prasunsrivastav123-lang]

Thanks! I’ve started working on this and will submit the update shortly. Please let me know if you’d like any adjustments

[prasunsrivastav123-lang]

Hi @cpholguera , thanks for the guidance on this. I’ve opened a PR adding a new Android MASVS-PLATFORM test documenting the use of accessibilityDataSensitive (and related protections like filterTouchesWhenObscured) for sensitive UI views on Android 16.

Please let me know if this approach looks good or if you’d like me to expand it further (for example, with a best-practice section or a small demo). Thanks!

[hharshhsaini]

Hi @cpholguera , i would like to work on this issue if it is not resolved yet .

[cpholguera]

@hharshhsaini you can, but please carefully read the contribution guidelines:

https://mas.owasp.org/contributing/#what-not-to-do

And consider the previously closed PR.