Google released the latest version of its Android mobile operating system on Monday, adding security features that it says will make it tougher for mobile device users to be subjected to “clickjacking” attacks that trick them into clicking on hidden or disguised user interface elements.
The company unveiled Android Version 2.3, also known as “Gingerbread,” on Monday along with the first phone running the new OS: the Nexus S, a co-development project between Google and Samsung. That phone features a 4″ display, support for gyroscope sensors, wireless Near Field Communication (NFC) and improved keyboard and copy/paste controls. Among the cool new features, however, Google also introduced support for so-called “touch filtering” which prevents UI elements that control sensitive functionality from being enabled at the same time as they are obscured by other UI elements – a technique sometimes referred to as “clickjacking” in the world of Web security.
The Gingerbread update is the first major release since May, when Version 2.2, dubbed “FroYo,” came out. The new version is optimized for game developers, allowing smoother animation and increased responsiveness and better input handling needed by high-speed mobile games. For games that use motion processing, there’s support for gyroscopes and other kinds of physical sensors. Gingerbread will also support for VP8 and WebM, open video standards, and support for AAC and AMR Wideband encoding, according to Google.
On the security front, Google noted new options for application developers will make it possible to prevent users from being tricked into enabling or disabling sensitive functionality. Touch filtering features in 2.3 allow Android devices to note when a user view that provides access to sensitive functionality is obscured by another UI element or concealed. A new attribute, filterTouchesWhenObscured, when enabled, discards touches that are received when the view’s window is obscured by another visible window, according to a description of the feature in the Android Developer’s Reference. “As a result, the view will not receive touches whenever a toast, dialog oro ther window appears above the view’s window,” the Reference reads.
Clickjacking – the practice of fooling users into compromising the security of their Web session – is a well known phenomenon on the Web. The phrase was first coined in 2008 by security researchers Jeremiah Grossman of Whitehat Security and Robert Hansen. A common clickjacking attack might involve the use of javascript to create an invisible button that lies on top of an otherwise innocuous appearing button or graphical element. When the user goes to click on the GUI element, she unwittingly clicks on the hidden element. In one demonstration, a clickjacking attack launched from a simple, Web-based game was used to provide an attacker access to the local user’s webcam and microphone. However, clickjacking attacks aren’t common to the fast-evolving world of mobile applications and attacks. Still, as use of mobile applications increases, platform vendors and security consultants are worried that more Web-based attacks will migrate to the mobile Web, even as mobile applications fall into the cross hairs of organized online criminal groups. Many of these applications, including those developed for major banks and online payment organizations, are in need of better security auditing, according to recent reports.