From 2969e58bb2ef5423ac95fefc7a23b50a7735ca22 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 31 Jan 2026 22:48:52 +0000
Subject: [PATCH 1/2] Initial plan
From 22afcd3e3722fca9e819cb416a54f8fde2defb3a Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 31 Jan 2026 22:56:29 +0000
Subject: [PATCH 2/2] Add MASTG content for Android 16
accessibilityDataSensitive feature
- Created Knowledge page MASTG-KNOW-0108 for accessibilityDataSensitive
- Created Best Practice MASTG-BEST-0029 for marking UI views as sensitive
- Created Test MASTG-TEST-0321 for static detection
- Created Test MASTG-TEST-0322 for dynamic verification
- Created Demo MASTG-DEMO-0083 demonstrating detection with semgrep
- Created semgrep rule for static analysis
Co-authored-by: cpholguera <29175115+cpholguera@users.noreply.github.com>
---
best-practices/MASTG-BEST-0029.md | 110 ++++++++++++++++++
.../MASTG-DEMO-0083/MASTG-DEMO-0083.md | 72 ++++++++++++
.../MASTG-DEMO-0083/MastgTest.kt | 35 ++++++
.../MASTG-DEMO-0083/activity_login.xml | 51 ++++++++
.../MASVS-PLATFORM/MASTG-DEMO-0083/output.txt | 60 ++++++++++
.../MASVS-PLATFORM/MASTG-DEMO-0083/run.sh | 12 ++
.../android/MASVS-PLATFORM/MASTG-KNOW-0108.md | 88 ++++++++++++++
...-android-accessibility-data-sensitive.yaml | 88 ++++++++++++++
.../android/MASVS-PLATFORM/MASTG-TEST-0321.md | 67 +++++++++++
.../android/MASVS-PLATFORM/MASTG-TEST-0322.md | 68 +++++++++++
10 files changed, 651 insertions(+)
create mode 100644 best-practices/MASTG-BEST-0029.md
create mode 100644 demos/android/MASVS-PLATFORM/MASTG-DEMO-0083/MASTG-DEMO-0083.md
create mode 100644 demos/android/MASVS-PLATFORM/MASTG-DEMO-0083/MastgTest.kt
create mode 100644 demos/android/MASVS-PLATFORM/MASTG-DEMO-0083/activity_login.xml
create mode 100644 demos/android/MASVS-PLATFORM/MASTG-DEMO-0083/output.txt
create mode 100755 demos/android/MASVS-PLATFORM/MASTG-DEMO-0083/run.sh
create mode 100644 knowledge/android/MASVS-PLATFORM/MASTG-KNOW-0108.md
create mode 100644 rules/mastg-android-accessibility-data-sensitive.yaml
create mode 100644 tests-beta/android/MASVS-PLATFORM/MASTG-TEST-0321.md
create mode 100644 tests-beta/android/MASVS-PLATFORM/MASTG-TEST-0322.md
diff --git a/best-practices/MASTG-BEST-0029.md b/best-practices/MASTG-BEST-0029.md
new file mode 100644
index 00000000000..f597f38536d
--- /dev/null
+++ b/best-practices/MASTG-BEST-0029.md
@@ -0,0 +1,110 @@
+---
+title: Marking UI Views as Containing Sensitive Data
+alias: marking-ui-views-sensitive-data
+id: MASTG-BEST-0029
+platform: android
+knowledge: [MASTG-KNOW-0108]
+available_since: 35
+---
+
+## Overview
+
+Starting with Android 16 (API level 35), developers should mark sensitive UI views using the [`accessibilityDataSensitive`](https://developer.android.com/reference/android/view/View#attr_android:accessibilityDataSensitive) attribute to protect against malicious accessibility services. This protection prevents unauthorized apps with accessibility permissions from reading sensitive view content or performing interactions unless they are declared as legitimate accessibility tools via [`isAccessibilityTool`](https://developer.android.com/reference/android/accessibilityservice/AccessibilityServiceInfo#FLAG_ACCESSIBILITY_TOOL).
+
+## Recommendation
+
+Apply `accessibilityDataSensitive="true"` to views that handle or display sensitive information, such as:
+
+- Login screens (username and password fields)
+- Payment and transaction confirmation screens
+- Personal information forms (SSN, credit card numbers, etc.)
+- Two-factor authentication inputs
+- Biometric authentication prompts
+- Any view displaying confidential user data
+
+### XML Implementation
+
+```xml
+
+
+
+```
+
+### Programmatic Implementation
+
+```kotlin
+passwordField.setAccessibilityDataSensitive(View.ACCESSIBILITY_DATA_SENSITIVE_YES)
+confirmButton.setAccessibilityDataSensitive(View.ACCESSIBILITY_DATA_SENSITIVE_YES)
+```
+
+## Rationale
+
+Malicious apps can abuse Android's accessibility framework to:
+
+- Eavesdrop on sensitive user inputs (credentials, payment details)
+- Perform automated click injection on critical actions (approve transactions)
+- Extract confidential information displayed on screen
+- Conduct phishing attacks by monitoring user behavior
+
+By marking views as `accessibilityDataSensitive`, the system restricts non-tool accessibility services from accessing or interacting with these views, significantly reducing the attack surface for malware that relies on accessibility permissions.
+
+## Automatic Protection with filterTouchesWhenObscured
+
+Apps already using [`filterTouchesWhenObscured="true"`](https://developer.android.com/reference/android/view/View#setFilterTouchesWhenObscured(boolean)) for tapjacking protection automatically gain `accessibilityDataSensitive` benefits on Android 16+. This provides an instant additional layer of defense with no extra code:
+
+```xml
+
+
+```
+
+If your app already implements `filterTouchesWhenObscured` on sensitive views, you receive this protection automatically. However, explicitly setting `accessibilityDataSensitive` is recommended for clarity and to ensure protection even if `filterTouchesWhenObscured` is later changed.
+
+## Considerations and Caveats
+
+### Legitimate Accessibility Tools
+
+This protection can impact legitimate accessibility services like screen readers. Users relying on accessibility tools may experience degraded functionality on marked views unless the accessibility service declares `isAccessibilityTool="true"`.
+
+- **Testing**: Test your app with popular accessibility tools (TalkBack, Voice Access) to ensure they can still function properly with marked views.
+- **User Communication**: If certain views must be marked sensitive for security, consider providing alternative accessible pathways or clear user guidance.
+
+### API Level Compatibility
+
+The `accessibilityDataSensitive` attribute is only available on Android 16 (API level 35) and higher. On older devices:
+
+- The attribute is ignored; the app functions normally without this protection
+- Consider using `filterTouchesWhenObscured` for broader compatibility against overlay attacks
+- Implement defense-in-depth by combining multiple security measures
+
+### Granularity
+
+Apply the attribute judiciously:
+
+- **Too Broad**: Marking entire screens reduces accessibility for users who need it
+- **Too Narrow**: Missing critical views leaves security gaps
+
+Focus on views that directly handle or display sensitive data, not general UI chrome.
+
+### View Hierarchy
+
+The `accessibilityDataSensitive` attribute can be inherited through the view hierarchy when using `View.ACCESSIBILITY_DATA_SENSITIVE_AUTO`. Plan your view structure to minimize repetition while ensuring comprehensive coverage.
+
+## References
+
+- [Android Developers Blog - Enhancing Android Security: Stop Malware with Accessibility Data Sensitivity](https://android-developers.googleblog.com/2025/12/enhancing-android-security-stop-malware.html)
+- [Android Security: Tapjacking Mitigations](https://developer.android.com/privacy-and-security/risks/tapjacking#mitigations)
+- [View.setAccessibilityDataSensitive](https://developer.android.com/reference/android/view/View#setAccessibilityDataSensitive(int))
diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-0083/MASTG-DEMO-0083.md b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0083/MASTG-DEMO-0083.md
new file mode 100644
index 00000000000..1b3413de048
--- /dev/null
+++ b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0083/MASTG-DEMO-0083.md
@@ -0,0 +1,72 @@
+---
+platform: android
+title: Detecting Accessibility Data Sensitivity in Layouts with semgrep
+id: MASTG-DEMO-0083
+code: [xml, kotlin]
+test: MASTG-TEST-0321
+---
+
+## Sample
+
+This sample demonstrates how to detect the use of `accessibilityDataSensitive` and `filterTouchesWhenObscured` attributes in Android layout files using Semgrep. The sample includes both properly protected views and views that lack protection.
+
+{{ activity_login.xml # MastgTest.kt }}
+
+### activity_login.xml
+
+The layout file contains several EditText fields for user credentials:
+
+1. `usernameField` - Has no protection (neither `accessibilityDataSensitive` nor `filterTouchesWhenObscured`)
+2. `passwordField` - Protected with `android:accessibilityDataSensitive="true"`
+3. `pinField` - Protected with `android:filterTouchesWhenObscured="true"` (which provides implicit accessibility protection on Android 16+)
+4. `creditCardField` - Protected with both `android:accessibilityDataSensitive="true"` and `android:filterTouchesWhenObscured="true"`
+
+### MastgTest.kt
+
+The Kotlin code demonstrates programmatic configuration of accessibility data sensitivity:
+
+1. Sets `accessibilityDataSensitive` on a button using the View API
+2. Checks the current state of `accessibilityDataSensitive` on views
+3. Sets `filterTouchesWhenObscured` which provides implicit protection
+
+## Steps
+
+Let's run our @MASTG-TOOL-0110 rule against the layout file and decompiled code.
+
+{{ ../../../../rules/mastg-android-accessibility-data-sensitive.yaml }}
+
+{{ run.sh }}
+
+## Observation
+
+The rule has identified:
+
+1. Views with explicit `accessibilityDataSensitive` attributes in XML
+2. Views with `filterTouchesWhenObscured` which provide implicit accessibility protection
+3. Programmatic calls to set or check accessibility data sensitivity
+4. Potentially sensitive input fields that lack any protection
+
+{{ output.txt }}
+
+## Evaluation
+
+Based on the Semgrep output:
+
+**Failures (views lacking protection):**
+
+- `usernameField` (line 12 in activity_login.xml): An EditText for username input lacks both `accessibilityDataSensitive` and `filterTouchesWhenObscured` protection. While usernames may be less sensitive than passwords, credential fields should generally be protected.
+
+**Passes (properly protected views):**
+
+- `passwordField` (line 23): Protected with `android:accessibilityDataSensitive="true"` - malicious accessibility services cannot read password input
+- `pinField` (line 34): Protected with `android:filterTouchesWhenObscured="true"` - gains implicit accessibility protection on Android 16+ while also preventing tapjacking
+- `creditCardField` (line 45): Protected with both attributes - defense in depth approach
+- `confirmButton` (line 18 in MastgTest.kt): Programmatically sets `ACCESSIBILITY_DATA_SENSITIVE_YES` for a payment confirmation button
+- Runtime checks (lines 22-23): The code properly checks current sensitivity settings
+
+**Recommendations:**
+
+1. Add `android:accessibilityDataSensitive="true"` or `android:filterTouchesWhenObscured="true"` to `usernameField`
+2. Consider using `filterTouchesWhenObscured` on all credential fields for broader protection across Android versions
+3. Review all payment and transaction confirmation buttons to ensure they are protected programmatically or in XML
+4. Test with legitimate accessibility tools (TalkBack, Voice Access) to ensure protected views remain accessible when needed
diff --git a/demos/android/MASVS-PLATFORM/MASTG-DEMO-0083/MastgTest.kt b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0083/MastgTest.kt
new file mode 100644
index 00000000000..8c6c94562c3
--- /dev/null
+++ b/demos/android/MASVS-PLATFORM/MASTG-DEMO-0083/MastgTest.kt
@@ -0,0 +1,35 @@
+package org.owasp.mastestapp
+
+import android.os.Bundle
+import android.view.View
+import android.widget.Button
+import android.widget.EditText
+import androidx.appcompat.app.AppCompatActivity
+
+// SUMMARY: This sample demonstrates programmatic configuration of accessibility data sensitivity in Android.
+
+class MastgTest : AppCompatActivity() {
+
+ override fun onCreate(savedInstanceState: Bundle?) {
+ super.onCreate(savedInstanceState)
+ setContentView(R.layout.activity_login)
+
+ // PASS: [MASTG-TEST-0321] Programmatically set accessibility data sensitivity on a button
+ val confirmButton = findViewById