Add setHideOverlayWindows to knowledge and best practices, fix demo structure

Copilot · cpholguera · Copilot · commit dbe8198387eb · 2026-01-29T19:21:03.000Z
Co-authored-by: cpholguera &lt;29175115+cpholguera@users.noreply.github.com&gt;
diff --git a/best-practices/MASTG-BEST-0029.md b/best-practices/MASTG-BEST-0029.md
@@ -16,9 +16,11 @@ Implement touch filtering to prevent touch events when the app's UI is obscured
 
 2. **Call `setFilterTouchesWhenObscured(true)`** programmatically on sensitive views to enable touch filtering at runtime.
 
-3. **Override `onFilterTouchEventForSecurity`** for more granular control and to implement custom security policies based on your app's specific requirements.
+3. **Call `setHideOverlayWindows(true)`** on the window (API level 31+) to hide all non-system overlay windows while the activity is in the foreground. This provides stronger protection by preventing overlays entirely rather than just filtering touch events.
 
-4. **Check motion event flags** such as `FLAG_WINDOW_IS_OBSCURED` (API level 9+) or `FLAG_WINDOW_IS_PARTIALLY_OBSCURED` (API level 29+) in touch event handlers to detect obscured windows and respond appropriately.
+4. **Override `onFilterTouchEventForSecurity`** for more granular control and to implement custom security policies based on your app's specific requirements.
+
+5. **Check motion event flags** such as `FLAG_WINDOW_IS_OBSCURED` (API level 9+) or `FLAG_WINDOW_IS_PARTIALLY_OBSCURED` (API level 29+) in touch event handlers to detect obscured windows and respond appropriately.
 
 Apply these protections selectively to security-sensitive UI elements where user confirmation is critical, such as:
 
@@ -52,6 +54,7 @@ Touch filtering mechanisms help ensure that user interactions occur with the int
 - Android Developer Documentation: [Tapjacking](https://developer.android.com/privacy-and-security/risks/tapjacking)
 - Android Developer Documentation: [View Security](https://developer.android.com/reference/android/view/View#security)
 - Android Developer Documentation: [setFilterTouchesWhenObscured](https://developer.android.com/reference/android/view/View#setFilterTouchesWhenObscured(boolean))
+- Android Developer Documentation: [setHideOverlayWindows](https://developer.android.com/reference/android/view/Window#setHideOverlayWindows(boolean))
 - Android Developer Documentation: [onFilterTouchEventForSecurity](https://developer.android.com/reference/android/view/View#onFilterTouchEventForSecurity(android.view.MotionEvent))
 - Android Developer Documentation: [FLAG_WINDOW_IS_OBSCURED](https://developer.android.com/reference/android/view/MotionEvent#FLAG_WINDOW_IS_OBSCURED)
 - Android Developer Documentation: [FLAG_WINDOW_IS_PARTIALLY_OBSCURED](https://developer.android.com/reference/android/view/MotionEvent#FLAG_WINDOW_IS_PARTIALLY_OBSCURED)
diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-0x83/MastgTest.kt b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0x83/MastgTest.kt
@@ -1,94 +1,58 @@
 package org.owasp.mastestapp
 
-import android.os.Bundle
+import android.content.Context
 import android.view.MotionEvent
-import android.view.View
 import android.widget.Button
-import android.widget.Toast
-import androidx.activity.ComponentActivity
-import androidx.activity.compose.setContent
-import androidx.activity.enableEdgeToEdge
-import androidx.compose.foundation.layout.Column
-import androidx.compose.foundation.layout.fillMaxWidth
-import androidx.compose.foundation.layout.padding
-import androidx.compose.material3.Button
-import androidx.compose.material3.Text
-import androidx.compose.runtime.Composable
-import androidx.compose.ui.Modifier
-import androidx.compose.ui.platform.ComposeView
-import androidx.compose.ui.unit.dp
-import androidx.compose.ui.viewinterop.AndroidView
+import android.widget.LinearLayout
 
 // SUMMARY: This sample demonstrates different approaches to handling overlay attacks in Android apps, 
 // showing both vulnerable patterns and proper protections using filterTouchesWhenObscured.
 
-const val MASTG_TEXT_TAG = "mastgTestText"
+class MastgTest (private val context: Context){
 
-class MainActivity : ComponentActivity() {
-    override fun onCreate(savedInstanceState: Bundle?) {
-        super.onCreate(savedInstanceState)
-        enableEdgeToEdge()
-        setContent {
-            MainScreen()
-        }
-    }
-}
+    fun mastgTest(): String {
+        val layout = LinearLayout(context)
+        layout.orientation = LinearLayout.VERTICAL
 
-@Composable
-fun MainScreen() {
-    Column(modifier = Modifier.padding(16.dp)) {
-        // FAIL: [MASTG-TEST-0035] Sensitive button without overlay protection
-        Button(
-            onClick = { 
+        // FAIL: [MASTG-TEST-0x35] Sensitive button without overlay protection
+        val vulnerableButton = Button(context).apply {
+            text = "Vulnerable: Confirm Payment"
+            setOnClickListener {
                 // Sensitive action: confirming a payment
-            },
-            modifier = Modifier
-                .fillMaxWidth()
-                .padding(vertical = 8.dp)
-        ) {
-            Text("Vulnerable: Confirm Payment")
+            }
         }
+        layout.addView(vulnerableButton)
         
-        // PASS: [MASTG-TEST-0035] Button with overlay protection using filterTouchesWhenObscured
-        AndroidView(
-            factory = { context ->
-                Button(context).apply {
-                    text = "Protected: Confirm Payment"
-                    filterTouchesWhenObscured = true
-                    setOnClickListener {
-                        // Sensitive action protected from overlay attacks
-                        Toast.makeText(context, "Payment confirmed", Toast.LENGTH_SHORT).show()
-                    }
-                }
-            },
-            modifier = Modifier
-                .fillMaxWidth()
-                .padding(vertical = 8.dp)
-        )
+        // PASS: [MASTG-TEST-0x35] Button with overlay protection using filterTouchesWhenObscured
+        val protectedButton = Button(context).apply {
+            text = "Protected: Confirm Payment"
+            filterTouchesWhenObscured = true
+            setOnClickListener {
+                // Sensitive action protected from overlay attacks
+            }
+        }
+        layout.addView(protectedButton)
         
-        // PASS: [MASTG-TEST-0035] Custom view with manual obscured check
-        AndroidView(
-            factory = { context ->
-                object : Button(context) {
-                    override fun onFilterTouchEventForSecurity(event: MotionEvent): Boolean {
-                        if ((event.flags and MotionEvent.FLAG_WINDOW_IS_OBSCURED) != 0) {
-                            // Window is obscured, filter the touch event
-                            Toast.makeText(context, "Touch blocked - window obscured", Toast.LENGTH_SHORT).show()
-                            return false
-                        }
-                        return super.onFilterTouchEventForSecurity(event)
-                    }
-                }.apply {
-                    text = "Custom Protection: Grant Permission"
-                    setOnClickListener {
-                        // Sensitive permission grant protected by custom implementation
-                        Toast.makeText(context, "Permission granted", Toast.LENGTH_SHORT).show()
-                    }
+        // PASS: [MASTG-TEST-0x35] Custom view with manual obscured check
+        val customProtectedButton = object : Button(context) {
+            override fun onFilterTouchEventForSecurity(event: MotionEvent): Boolean {
+                if ((event.flags and MotionEvent.FLAG_WINDOW_IS_OBSCURED) != 0) {
+                    // Window is obscured, filter the touch event
+                    return false
                 }
-            },
-            modifier = Modifier
-                .fillMaxWidth()
-                .padding(vertical = 8.dp)
-        )
+                return super.onFilterTouchEventForSecurity(event)
+            }
+        }.apply {
+            text = "Custom Protection: Grant Permission"
+            setOnClickListener {
+                // Sensitive permission grant protected by custom implementation
+            }
+        }
+        layout.addView(customProtectedButton)
+
+        return "Created buttons with various overlay protections:\n" +
+               "1. Vulnerable button (no protection)\n" +
+               "2. Protected button (filterTouchesWhenObscured)\n" +
+               "3. Custom protected button (onFilterTouchEventForSecurity)"
     }
 }
diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-0x83/MastgTest_reversed.java b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0x83/MastgTest_reversed.java
@@ -1,97 +1,59 @@
 package org.owasp.mastestapp;
 
-import android.os.Bundle;
+import android.content.Context;
 import android.view.MotionEvent;
 import android.widget.Button;
-import android.widget.Toast;
-import androidx.activity.ComponentActivity;
-import androidx.compose.foundation.layout.ColumnKt;
-import androidx.compose.foundation.layout.PaddingKt;
-import androidx.compose.material3.ButtonKt;
-import androidx.compose.material3.TextKt;
-import androidx.compose.runtime.Composer;
-import androidx.compose.ui.Modifier;
-import androidx.compose.ui.unit.Dp;
-import androidx.compose.ui.viewinterop.AndroidViewKt;
-import kotlin.jvm.functions.Function0;
-import kotlin.jvm.functions.Function1;
-import kotlin.jvm.functions.Function2;
-import kotlin.jvm.internal.Lambda;
+import android.widget.LinearLayout;
+import kotlin.jvm.internal.Intrinsics;
 
-public final class MainActivity extends ComponentActivity {
-    public void onCreate(Bundle savedInstanceState) {
-        super.onCreate(savedInstanceState);
-        this.enableEdgeToEdge();
-        this.setContent(new Lambda(0) {
-            public final void invoke(Composer $composer, int $changed) {
-                MainScreenKt.MainScreen($composer, 0);
-            }
-        });
+public final class MastgTest {
+    private final Context context;
+
+    public MastgTest(Context context) {
+        Intrinsics.checkNotNullParameter(context, "context");
+        this.context = context;
     }
-}
 
-public final class MainScreenKt {
-    public static final void MainScreen(Composer $composer, int $changed) {
-        Composer $composer2 = $composer.startRestartGroup(0);
-        if ($changed == 0) {
-            if (!$composer2.getSkipping()) {
-                ColumnKt.m586Column(PaddingKt.m565padding(Modifier.Companion, Dp.m5307constructorimpl(16)), null, null, new Lambda(3) {
-                    public final void invoke(ColumnScope $this$Column, Composer $composer, int $changed) {
-                        Composer $composer2 = $composer;
-                        ColumnScope columnScope = $this$Column;
-                        
-                        // FAIL: [MASTG-TEST-0035] Vulnerable button without overlay protection
-                        ButtonKt.m1334Button(new Lambda(0) {
-                            public final void invoke() {
-                                // Sensitive action: confirming a payment
-                            }
-                        }, PaddingKt.m565padding(Modifier.Companion.fillMaxWidth(), Dp.m5307constructorimpl(8)), false, null, null, null, null, null, new Lambda(3) {
-                            public final void invoke(RowScope $this$Button, Composer $composer, int $changed) {
-                                TextKt.m3574Text("Vulnerable: Confirm Payment", null, 0L, 0L, null, null, null, 0L, null, null, 0L, 0, false, 0, null, null, $composer, 0, 0, 131070);
-                            }
-                        }, $composer2, 805306368, 508);
-                        
-                        // PASS: [MASTG-TEST-0035] Button with overlay protection
-                        AndroidViewKt.m4555AndroidView(new Lambda(1) {
-                            public final Button invoke(Context context) {
-                                Button button = new Button(context);
-                                button.setText("Protected: Confirm Payment");
-                                button.setFilterTouchesWhenObscured(true);
-                                button.setOnClickListener(new View.OnClickListener() {
-                                    public void onClick(View view) {
-                                        Toast.makeText(context, "Payment confirmed", 0).show();
-                                    }
-                                });
-                                return button;
-                            }
-                        }, PaddingKt.m565padding(Modifier.Companion.fillMaxWidth(), Dp.m5307constructorimpl(8)), null, null, $composer2, 3080, 12);
-                        
-                        // PASS: [MASTG-TEST-0035] Custom view with manual obscured check
-                        AndroidViewKt.m4555AndroidView(new Lambda(1) {
-                            public final Button invoke(Context context) {
-                                return new Button(context) {
-                                    public boolean onFilterTouchEventForSecurity(MotionEvent event) {
-                                        if ((event.getFlags() & MotionEvent.FLAG_WINDOW_IS_OBSCURED) != 0) {
-                                            Toast.makeText(this.getContext(), "Touch blocked - window obscured", 0).show();
-                                            return false;
-                                        }
-                                        return super.onFilterTouchEventForSecurity(event);
-                                    }
-                                    
-                                    {
-                                        this.setText("Custom Protection: Grant Permission");
-                                        this.setOnClickListener(new View.OnClickListener() {
-                                            public void onClick(View view) {
-                                                Toast.makeText(Button.this.getContext(), "Permission granted", 0).show();
-                                            }
-                                        });
-                                    }
-                                };
-                            }
-                        }, PaddingKt.m565padding(Modifier.Companion.fillMaxWidth(), Dp.m5307constructorimpl(8)), null, null, $composer2, 3080, 12);
-                    }
-                }, $composer2, 438, 6);
+    public final String mastgTest() {
+        LinearLayout layout = new LinearLayout(this.context);
+        layout.setOrientation(1);
+        
+        // FAIL: [MASTG-TEST-0x35] Sensitive button without overlay protection
+        Button vulnerableButton = new Button(this.context);
+        vulnerableButton.setText("Vulnerable: Confirm Payment");
+        vulnerableButton.setOnClickListener(view -> {
+            // Sensitive action: confirming a payment
+        });
+        layout.addView(vulnerableButton);
+        
+        // PASS: [MASTG-TEST-0x35] Button with overlay protection using filterTouchesWhenObscured
+        Button protectedButton = new Button(this.context);
+        protectedButton.setText("Protected: Confirm Payment");
+        protectedButton.setFilterTouchesWhenObscured(true);
+        protectedButton.setOnClickListener(view -> {
+            // Sensitive action protected from overlay attacks
+        });
+        layout.addView(protectedButton);
+        
+        // PASS: [MASTG-TEST-0x35] Custom view with manual obscured check
+        Button customProtectedButton = new Button(this.context) {
+            public boolean onFilterTouchEventForSecurity(MotionEvent event) {
+                if ((event.getFlags() & MotionEvent.FLAG_WINDOW_IS_OBSCURED) != 0) {
+                    // Window is obscured, filter the touch event
+                    return false;
+                }
+                return super.onFilterTouchEventForSecurity(event);
             }
-        }
+        };
+        customProtectedButton.setText("Custom Protection: Grant Permission");
+        customProtectedButton.setOnClickListener(view -> {
+            // Sensitive permission grant protected by custom implementation
+        });
+        layout.addView(customProtectedButton);
+        
+        return "Created buttons with various overlay protections:\n" +
+               "1. Vulnerable button (no protection)\n" +
+               "2. Protected button (filterTouchesWhenObscured)\n" +
+               "3. Custom protected button (onFilterTouchEventForSecurity)";
     }
 }
diff --git a/knowledge/android/MASVS-PLATFORM/MASTG-KNOW-0022.md b/knowledge/android/MASVS-PLATFORM/MASTG-KNOW-0022.md
@@ -16,6 +16,7 @@ Android provides several defensive mechanisms that apps can use to protect again
 
 - [`onFilterTouchEventForSecurity`](https://developer.android.com/reference/android/view/View#onFilterTouchEventForSecurity(android.view.MotionEvent)): Override this method for fine-grained control to implement custom security policies for views.
 - [`android:filterTouchesWhenObscured`](https://developer.android.com/reference/android/view/View#attr_android:filterTouchesWhenObscured): Set this layout attribute to `true` or call [`setFilterTouchesWhenObscured`](https://developer.android.com/reference/android/view/View#setFilterTouchesWhenObscured(boolean)) to filter touch events when the view is obscured by another visible window.
+- [`setHideOverlayWindows`](https://developer.android.com/reference/android/view/Window#setHideOverlayWindows(boolean)) (since API level 31): Call this method on the window to hide all non-system overlay windows while the activity is in the foreground. This provides a stronger protection by preventing overlays entirely rather than just filtering touch events.
 - [`FLAG_WINDOW_IS_OBSCURED`](https://developer.android.com/reference/android/view/MotionEvent#FLAG_WINDOW_IS_OBSCURED) (since API level 9): Check this flag to detect if the window is obscured.
 - [`FLAG_WINDOW_IS_PARTIALLY_OBSCURED`](https://developer.android.com/reference/android/view/MotionEvent#FLAG_WINDOW_IS_PARTIALLY_OBSCURED) (since API level 29): Check this flag to detect if the window is partially obscured.
 
