Whats New?: Tapjacking Detection

Why Tapjacking in 2025? Android 15 hardens OS; apps must still block obscured touches. pSlip finds tapjacking-prone controls for security and developers.

pSlip

This tool is designed to identify Android apps that could be vulnerable instances of the 'Permission-Slip' attack; AKA a 'Confused Deputy'.

This occurs when an application is leveraged into performing actions on behalf of a less privileged app & results in elevated permissions.

---

Highlights

• Exported component triage (CALL, VIEW+javascript:, weak custom permissions)
• Tapjacking/TapTrap detector (Compose & XML; missing obscured-touch filtering)
• ADB POC commands for quick validation
• HTML + CSV reports, with a Tapjacking Portfolio
• Severity & Confidence (0–100) on each finding
• -allsafe mode skips AES for fast, stable sweeps

---

Install

git clone https://github.com/actuator/pSlip.git
cd pSlip
# tools
sudo apt install apktool jadx   

---

Usage

# Directory sweep
python pSlip.py . -all -html demo.html     

# Fast sweep (skip AES/jadx)
python pSlip.py path/to/apks -allsafe -html report.htm

Flags: -p (permissions), -perm, -js, -call, -aes, -taptrap, -csv <file>, -all, -allsafe.

---

Tapjacking Signals

• High when UI semantics match: login | auth | verify | pay | checkout | approve | password | otp | pin | confirm | secure | submit | card | transfer | send
• Info otherwise (defense-in-depth).

---

Output

• HTML: Tapjacking Portfolio (one line per app) + detailed, sorted findings
• CSV: vulnerabilities CSV + report.taptrap.apps.csv (Tapjacking portfolio)

---

Changelog (snapshot)

• Added Tapjacking/TapTrap detector (Compose + XML)
• Severity & Confidence scoring
• New -taptrap and -csv flags, portfolio roll-up
• Safer HTML output; clearer jadx errors

---

Contribute

Pull requests are welcome, however for major changes please open an issue first to discuss what you would like to change.

I appreciate any contributions that improve the functionality and usability of the tool.