Search Issue Tracker

Fixed in Unity 2017.2



Found in


Issue ID




[Android] Apps can be tapjacked




Priority: 3Not yet prioritized for a release


Severity: 2No workaround

Android security issue:
All views (e.g. GLSurfaceView) in the UnityPlayerActivity should have .setFilterTouchesWhenObscured(true) set, otherwise an attacker application can invisibly record all touch input to the Unity application without the user knowing.

How to reproduce:
1. Open QA attached project
2. Build to device
3. Start android studio project and run it
4. In the built app press start (It will launch the unity project)
5. Click on the droids on the app

Expected result: The input is registered on top layer
Actual result: The touches pass through the android “Toast” window, and go to the unity app

Reproduced on: 5.4.5p1, 5.5.1f1, 5.5.3p1. 5.6.0f3. 2017.1.0b1

Reproduced with:
Google Galaxy Nexus*, OS:4.3, CPU:armeabi-v7a, GPU:PowerVR SGX 540
Samsung S5 Neo SM G903F*, OS:6.0.1, CPU:armeabi-v7a, GPU:Mali-T720
Google Nexus 5X*, OS:7.1.1, CPU:arm64-v8a, GPU:Adreno (TM) 418

Fixed in: 2017.2.0a1
Backported to: 5.4.5p3, 5.5.4p1, 5.6.1p2, 2017.1.0b6

All about bugs

View bugs we have successfully reproduced, and vote for the bugs you want to see fixed most urgently.