Window punching

      Technique summary
    Technique Window punching
    Against UI injections: Activity injections and View injections
    Limitations API Level ≤32 (Android ≤12)
      Cannot have INJECT_EVENTS permission
      Does not detect non-touchable overlays
    Side effects None
    Recommendations Recommended for use combined with other techniques

    Window punching is a defense technique used against activity and view injections.

    This technique was proposed by AlJarrah et al.1 and endorsed by Kalysch et al.2. It relies on the possibility that the API provides a way to simulate touches on the screen. An application can generate touches only on views that belong to itself. In order to do that on external views, the INJECT_EVENTS permission is needed. Thus, an app can simulate touches ("punches") on specific areas of the screen and, if it touches a view that belongs to a different application, a SecurityException exception will be raised:

    Injecting to another application requires INJECT_EVENTS permission

    That behavior is used to detect the presence of an overlay or injection. Thus, if we throw punches on, e.g., a password field, and we see an exception, we will know that there is an injection or overlay positioned over that field.

    This code snippet would simulate one punch in specific coordinates:

    private void throwPunch(int x, int y) { long downTime = SystemClock.uptimeMillis(); long eventTime = SystemClock.uptimeMillis(); MotionEvent event = MotionEvent.obtain(downTime, eventTime, MotionEvent.ACTION_DOWN, x, y, 0); event.setSource(InputDevice.SOURCE_TOUCHSCREEN); instrumentation.sendPointerSync(event); }

    And to trigger a burst of a specific number of touches on a specific area:

    private void launchBarrageOfPunches(int xMax, int yMax, int nPunches, boolean randomX, boolean randomY) { for (int punchCount = 0; punchCount < nPunches; punchCount++) { // (...) throwPunch(x, y); } }

    Bursts of touches can be launched at specific time intervals, and if an exception occurs, it will lead to a detection.

    try { launchBarrageOfPunches(xMax, yMax, n, true, false); return false; } catch(SecurityException e) { return true; // injection detected }


    Example implementation of top package inspection defense

    One limitation is that this mechanism does not work from API level 33 (Android 13) onward. In this case, the exception is generated even when trying to simulate touches on the same application.

    1. AlJarrah, Abeer, and Mohamed Shehab. "Maintaining user interface integrity on Android". 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC). Vol. 1. IEEE, 2016.
    2. Kalysch, Anatoli, Davide Bove, and Tilo Müller. "How android's UI security is undermined by accessibility". Proceedings of the 2nd Reversing and Offensive-oriented Trends Symposium. 2018.


    Table of contents