Adding Tapjacking classification to VRT

[csimas1]

Tapjacking can be a serious vulnerability, but falls within a very limited scope with protections both client and server side. Our entry should communicate a low score consistent with the scope and protections.

Tapjacking is a vulnerability exclusive to Android devices & certain Android OS versions. The vulnerability allows an attacker to place a transparent frame over the victims device. While the victim believes he is interacting with the UI he sees, his clicks are being transmitted to the device performing actions predetermined by the attacker.
An attacker could trick a victim into enabling/disabling specific settings or in a severe case, trick the victim into downloading malware.

Potential Classification:
Mobile App Misconfiguration -> TapJacking -> Sensitive Action (P5)
Mobile App Misconfiguration -> TapJacking (P5)

Mobile App Misconfiguration is not currently a category, so this would mean adding a new one.

As you can see there's a proposed classification without "Sensitive Action." This is because, as far as I can tell, the severity is limited by the attackers skill & intent. Therefore researchers won't need to add a working POC, only demonstrate the protective flags are not in place.

All feedback is welcome.

[plr0man]

As discussed internally this will be implemented as Mobile Security Misconfiguration -> Tapjacking (P5)
Tapjacking has been deemed P5 - Informational due to multiple prerequisites, mainly the need of being performed on an unpatched Android Marshmallow or earlier unsupported versions.