Gingerbread to Protect Against Malicious Tapjacking


Among the less visible upgrades coming to Android 2.3, we’ve now learned that Google’s implemented a fix against a potentially nasty security vulnerability that could otherwise trick you into performing actions with your phone you’re not aware of.

The vulnerability is known as tapjacking, where you think you’re tapping on one thing, but as far as apps and Android are concerned, your input is being directed elsewhere. Since you don’t know what you’re actually doing, an app taking advantage of tapjacking could fool you into buying extra apps, approving transactions, or pretty much anything else where you’d tap the screen to confirm.

The problem lies in the ability for apps to generate pop-up “Toast” notifications, which appear in the foreground, obscuring other apps. While you see the Toast, your taps go straight through it to whatever’s underneath. By specially crafting Toasts to look like something you’d want to press, a malicious app can lure you through any series of taps it chooses. In a demonstration, the team at Lookout security which discovered the flaw showed how an app that purports to be a game can lead you to enable installation of non-Marketplace apps in just seconds.

Google’s fix allows developers to lock-down their apps, so that input is disabled while a Toast is on top. While that’s well and good for future apps, it would have been nice for the feature not to be opt-in. That is, if Google made Toasts disable all inputs unless a programmer specifically didn’t want his app to behave like that.

So far, there are no reports of anyone using the vulnerability in the wild.

Source: Lookout

Share This Post
What's your reaction?
Love It
Like It
Want It
Had It
Hated It
About The Author
Stephen Schenck
Stephen has been writing about electronics since 2008, which only serves to frustrate him that he waited so long to combine his love of gadgets and his degree in writing. In his spare time, he collects console and arcade game hardware, is a motorcycle enthusiast, and enjoys trapping blue crabs. Stephen's first mobile device was a 624 MHz Dell Axim X30, which he's convinced is still a viable platform. Stephen longs for a market where phones are sold independently of service, and bandwidth is cheap and plentiful; he's not holding his breath. In the meantime, he devours smartphone news and tries to sort out the juicy bits Read more about Stephen Schenck!