Port MASTG-TEST-0035: Testing for Overlay Attacks (android) (by @appknox)#3593
Port MASTG-TEST-0035: Testing for Overlay Attacks (android) (by @appknox)#3593MaxBytes06 wants to merge 7 commits intoOWASP:masterfrom
Conversation
| * 1. Missing FLAG_SECURE on the window. | ||
| * 2. Missing touch filtering/protection on sensitive views (simulated check). | ||
| */ | ||
| class VulnerableLoginActivity : AppCompatActivity() { |
There was a problem hiding this comment.
The class is now an activity so the demo app doesn't work.
There was a problem hiding this comment.
@Reality2byte the message is meant for the author of the PR. If you wish to contribute, please feel free to check the open issues :)
| import android.widget.TextView | ||
| import android.view.Gravity | ||
|
|
||
| // IMPORTANT: Assume DemoResults, Status are defined elsewhere in your project |
There was a problem hiding this comment.
those seem to be LLM comments. Do they add value?
|
|
||
| To mitigate these attacks please carefully read the general guidelines about Android View security in the [Android Developer Documentation](https://developer.android.com/reference/android/view/View#security "View Security"). For instance, the so-called _touch filtering_ is a common defense against tapjacking, which contributes to safeguarding users against these vulnerabilities, usually in combination with other techniques and considerations as we introduce in this section. | ||
|
|
||
| ## Static Analysis |
There was a problem hiding this comment.
this whole context is missing please migrate the test according to the guidelines. Using LLMs will not help you, and you will need manual writing and research in this.
|
@MaxBytes06 please review the PR description, add an actual description and fill in the information on the disclosures. Thank you. |
cpholguera
changed the title
|
@MaxBytes06 this is a reminder to review the PR description, add an actual description and fill in the information on the disclosures. Also, the app that you are proposing doesn't build, see the checks https://github.com/OWASP/mastg/actions/runs/21352598855/job/61452571526?pr=3593 Thank you. |
serek8
left a comment
serek8
left a comment
There was a problem hiding this comment.
This PR misses come content from the old test. I think we should still cover:
5 participants
Closes #2983
Description
TBD
AI Tool Disclosure
Check exactly one option.
If AI tools were used to generate or substantially modify code or text, complete the following.
For first-time contributors using AI tools.
Undisclosed use of AI tools will result in the PR being closed. Large rewrites or bulk changes generated by AI require explicit prior approval from the maintainers. Learn more in "Use of AI tools in contributions".
Contributor Checklist
Relevant documentation.
Contributors are expected to understand basic git and GitHub workflows, including forks, branches, commits, and pull requests. The project does not provide training. Pull requests that do not meet these minimum requirements may be closed without review.