Tapjacking Attack cheetahmobile App
The application is vulnerable to a tapjacking attack, which can trick the user to deactivate security features of the application.
The application exports a lot of activates and app components, which can be started externally by third party apps. A malicious app can start a component of the app, put an overlay over the component and trick the user to deactivate security features of the application.
For further details about tapjacking and protection mechanism look at:
Be worried about spam text dialogs that do not come from the official app.
Reduce exported application and implement tap jacking protection. The Android API provides different methods to mitigate tapjacking (see: http://developer.android.com/intl/es/reference/android/view/View.html#setFilterTouchesWhenObscured%28boolean%29)
- 2015-12-15 Vulnerability Discovered
- 2015-12-21 Vulnerability Reported (1. Try, no reaction)
- 2016-01-18 Vulnerability Reported (2. Try)
- 2016-01-27 Vulnerability Fixed