commit 6bf18c39d9fc727523fa3201567b836032bb2114
author Sterling Huber <hubers@google.com> Thu Nov 07 11:04:03 2019 -0800
committer Sterling Huber <hubers@google.com> Thu Dec 05 16:41:32 2019 +0000
tree ea55c498ad357dab966da01814de3fb7d9efacc5
parent 663d3d799102b3b35c6e4b91fdc4e92d852bd6ba

RESTRICT AUTOMERGE
Make toasts non-clickable

Since enforcement was only on client-side, in Toast class, an app could
use reflection (or other means) to make the Toast clickable. This is a
security vulnerability since it allows tapjacking, that is, intercept touch
events and do stuff like steal PINs and passwords.

This CL brings the enforcement to the system by applying flag
FLAG_NOT_TOUCHABLE.

Test: atest CtsWindowManagetDeviceTestCases:ToastTest
Test: Construct app that uses reflection to remove flag FLAG_NOT_TOUCHABLE and
      log click events. Then:
      1) Observe click events are logged without this CL.
      2) Observer click events are not logged with this CL.
Bug: 128674520

Change-Id: Ica346c853dcb9a1e494f7143ba1c38d22c0003d0

services/core/java/com/android/server/policy/PhoneWindowManager.java

diff --git a/services/core/java/com/android/server/policy/PhoneWindowManager.java b/services/core/java/com/android/server/policy/PhoneWindowManager.java
index 56ceda7..4d3d120 100644
--- a/services/core/java/com/android/server/policy/PhoneWindowManager.java
+++ b/services/core/java/com/android/server/policy/PhoneWindowManager.java
@@ -2805,6 +2805,8 @@
                     attrs.hideTimeoutMilliseconds = TOAST_WINDOW_TIMEOUT;
                 }
                 attrs.windowAnimations = com.android.internal.R.style.Animation_Toast;
+                // Toasts can't be clickable
+                attrs.flags |= WindowManager.LayoutParams.FLAG_NOT_TOUCHABLE;
                 break;
         }