Port MASTG-TEST-0035: Testing for Android overlay attack protections #3649
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…emo, and best practice Co-authored-by: cpholguera <29175115+cpholguera@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Add MASTG v2 test for overlay attacks on Android
Port MASTG-TEST-0035: Static analysis for Android overlay attack protections
Jan 26, 2026
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| @@ -0,0 +1,52 @@ | |||
| --- | |||
There was a problem hiding this comment.
⚠️ Duplicate MASTG-DEMO ID Detected
This file has the ID MASTG-DEMO-0083 which already exists in demos/ios/MASVS-NETWORK/MASTG-DEMO-0083/MASTG-DEMO-0083.md.
IMPORTANT: Please use the next available ID: MASTG-DEMO-0087
serek8
reviewed
Jan 26, 2026
| - The `setFilterTouchesWhenObscured` method | ||
| - The `android:filterTouchesWhenObscured` attribute in layout files | ||
| - The `onFilterTouchEventForSecurity` method | ||
| - Checks for `FLAG_WINDOW_IS_OBSCURED` or `FLAG_WINDOW_IS_PARTIALLY_OBSCURED` flags |
Collaborator
There was a problem hiding this comment.
Suggested change
| - Checks for `FLAG_WINDOW_IS_OBSCURED` or `FLAG_WINDOW_IS_PARTIALLY_OBSCURED` flags | |
| - Checks for `FLAG_WINDOW_IS_OBSCURED` or `FLAG_WINDOW_IS_PARTIALLY_OBSCURED` flags | |
| - The [`setHideOverlayWindows`](https://developer.android.com/reference/android/view/Window#setHideOverlayWindows(boolean)) method |
There is a Manifest equivalent flag that works globally in the same way HIDE_OVERLAY_WINDOWS
Let's also add it to BEST-0029 and KNOW
cpholguera
reviewed
Jan 26, 2026
| profiles: [L2] | ||
| status: deprecated | ||
| covered_by: [MASTG-TEST-0035] | ||
| deprecation_note: "New version available in MASTG V2 focusing on static analysis only" |
Collaborator
There was a problem hiding this comment.
Suggested change
| deprecation_note: "New version available in MASTG V2 focusing on static analysis only" | |
| deprecation_note: "New version available in MASTG V2" |
| --- | ||
| platform: android | ||
| title: References to Overlay Attack Protections | ||
| id: MASTG-TEST-0035 |
Collaborator
There was a problem hiding this comment.
Update ID to fake ID here and in the file name and demo
Suggested change
| id: MASTG-TEST-0035 | |
| id: MASTG-TEST-0x35 |
cpholguera
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Ports v1 test for overlay/tapjacking attacks to v2 format. The v1 test included both static and dynamic analysis; v2 focuses exclusively on static detection of touch filtering mechanisms.
Changes
Test (MASTG-TEST-0035)
setFilterTouchesWhenObscured,onFilterTouchEventForSecurity, and obscured window flag checkstargetSdkVersionand sensitive UI contextDemo (MASTG-DEMO-0083)
filterTouchesWhenObscured, custom override with flag checkingSemgrep Rule (mastg-android-overlay-protection.yml)
Best Practice (MASTG-BEST-0029)
Knowledge Article Update (MASTG-KNOW-0022)
V1 Deprecation
covered_by: [MASTG-TEST-0035]Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
developer.android.com/home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js(dns block)/usr/bin/curl curl -s REDACTED(dns block)semgrep.dev/home/REDACTED/.local/bin/pysemgrep osemgrep -c ../../../../rules/mastg-android-overlay-protection.yml ./MastgTest_reversed.java --text -o output.txt(dns block)If you need me to access, download, or install something from one of these locations, you can either:
Original prompt
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.