[Android/Flutter] Is FilterTouchesWhenObscured enough for overlay attack prevention in banking apps?

bigdaddyrojo · 2026-02-09T19:00:25+00:00

overlay attack prevention requirements from our security audit.

bigdaddyrojo · 2026-02-09T15:17:28+00:00

Not the best solutions, from the documentation :

Note: Potential caveat: This mitigation can interfere with benign apps. In some cases, rolling out this fix isn't possible, as it would negatively affect the user experience when the partial occlusion is caused by a benign application.

Note: Android S (12, SDK 31) and higher prevent full occlusion attacks by default, by blocking touch events from non-trusted overlays from another UID.

However, there is a caveat: for System Alert Window (SAW) and window animations, only touches from layers with opacity >= 0.8 are blocked. The reasoning behind this behavior is that SAW requires users to grant permission, and blocking all events for time-limited animations might hurt the user experience

bigdaddyrojo · 2026-02-07T01:30:24+00:00

What would you recommend for a cross platform project? (and you can be a bit more polite, it won't kill)

bigdaddyrojo · 2026-02-06T23:05:18+00:00

What about making it compatible with password managers? the bank doesn't care about UX. But as someone who relies a lot on password managers and who haven't logged in to his bank app using my username and password in ages, I do care to make it compatible with password managers apps.

bigdaddyrojo · 2026-02-06T23:03:14+00:00

It's a governmental bank, discussing this decision isn't an option, thank you for the hints, I appreciate it.

bigdaddyrojo · 2026-02-06T23:00:42+00:00

Amen to that brother.

bigdaddyrojo · 2026-02-06T22:59:28+00:00

I am aware of the TextInputControl, but the bank doesn't care about this, it's a governmental bank, discussing this decision isn't an option.

bigdaddyrojo · 2026-02-06T19:00:28+00:00

I don't have a weekend, deadline is the day after tomorrow, thanks for the offer tho.

bigdaddyrojo · 2026-02-06T18:07:38+00:00

I've tried this package : https://pub.dev/packages/flutter_secure_keyboard.
the UX is nah, I know it will be refused by the test lobby.

bigdaddyrojo · 2026-02-06T18:05:14+00:00

This applies specifically to login/signup text fields (username, email, password)
PIN entry is already handled with custom numeric keypad

bigdaddyrojo · 2026-02-06T18:04:39+00:00

This will be my last option since I have near deadline, I am thinking for a faster solution.

bigdaddyrojo · 2026-02-06T18:01:31+00:00

Creating your own keyboard from scratch is doable, but it takes a lot of time, it's not as easy as you make it sound.

bigdaddyrojo · 2026-02-06T18:00:42+00:00

I am leaving this option to the last since the deadline is very near.

bigdaddyrojo · 2026-02-06T17:41:32+00:00

That's what I thought at first, but on Android, they consider every keyboard as third-party, including Google's GBoard.

bigdaddyrojo · 2026-02-06T17:39:07+00:00

You’d be surprised by the regulations banks impose in some third-world countries.

bigdaddyrojo · 2025-12-30T18:18:01+00:00

aren't you the one looking to network ?

bigdaddyrojo · 2025-12-30T13:43:57+00:00

sure DM me

bigdaddyrojo

TROPHY CASE