14 DAY TRIAL // The newly released 2.3 version of the Android mobile operating system contains a security enhancement aimed at protecting users against UI redressing attacks.
Commonly referred to as clickjacking, these attacks use various techniques to hide user interface elements and superimpose them onto others with the purpose of hijacking clicks.
For example, on websites this can be achieved by creating a transparent button and using JavaScript to attach it to the mouse pointer, or position it on top of another button.
Therefore, when users click on the page expecting to perform a certain action, they actually hit the hidden button and trigger an unauthorized one.
Android 2.3, codenamed “Gingerbread,” was launched on Monday along with a new Nexus S phone from Samsung.
In addition to many functionality enhancements and bug fixes, the new version introduces a touch filtering mechanism.
Called setFilterTouchesWhenObscured(), the new method discards touches if it detects that a view is obscured by another visible window.
“Sometimes it is essential that an application be able to verify that an action is being performed with the full knowledge and consent of the user, such as granting a permission request, making a purchase or clicking on an advertisement,” the Android team writes in the developer reference manual.
“Unfortunately, a malicious application could try to spoof the user into performing these actions, unaware, by concealing the intended purpose of the view,” they explain.
UI redressing techniques have been known for many years in security circles, but they were treated as a mostly theoretical problem.
This changed in 2008 when reputed Web security researchers Jeremiah Grossman and Robert Hansen publicized new and practical attack vectors based on this concept.
Since then, multiple clickjacking incidents have been observed in the wild, particularly in attacks on social media websites like Twitter or Facebook.