Among the less visible upgrades coming to Android 2.3, we’ve now learned that Google’s implemented a fix against a potentially nasty security vulnerability that could otherwise trick you into performing actions with your phone you’re not aware of.
The vulnerability is known as tapjacking, where you think you’re tapping on one thing, but as far as apps and Android are concerned, your input is being directed elsewhere. Since you don’t know what you’re actually doing, an app taking advantage of tapjacking could fool you into buying extra apps, approving transactions, or pretty much anything else where you’d tap the screen to confirm.
The problem lies in the ability for apps to generate pop-up “Toast” notifications, which appear in the foreground, obscuring other apps. While you see the Toast, your taps go straight through it to whatever’s underneath. By specially crafting Toasts to look like something you’d want to press, a malicious app can lure you through any series of taps it chooses. In a demonstration, the team at Lookout security which discovered the flaw showed how an app that purports to be a game can lead you to enable installation of non-Marketplace apps in just seconds.
Google’s fix allows developers to lock-down their apps, so that input is disabled while a Toast is on top. While that’s well and good for future apps, it would have been nice for the feature not to be opt-in. That is, if Google made Toasts disable all inputs unless a programmer specifically didn’t want his app to behave like that.
So far, there are no reports of anyone using the vulnerability in the wild.