NoScript for Android aims at rampant risks for mobile users

Malware that depends on Java can attack smartphones running Java, not just PCs.

A version of the wildly popular, free, open-source Firefox extension NoScript, which is designed to stop potentially harmful scripts written in Java, Flash and other browser plugins from running without the user's permission, has been released to do the same for Firefox on Android smartphones and tablets.

NoScript is one of half a dozen security and privacy apps consistently cited as a must-have extention by both users and security experts.

Android is currently the hottest target on the market for malware writers, but has far fewer security and anti-virus apps designed for it than Windows. That, combined with the amount of information routinely collected and badly protected by Android apps, and the unpredictable levels of risk or secure networks available where Android users wander, makes any creditable security app for Android worth a look.

The first bit of malicious software specifically written for smartphones was aimed at Android, according to researchers at Trend Micro, who found it earlier this month. Rootkits, viruses aimed at applications, malicious Java scripts and other general-purpose malware can often attack a device running Android without any special customization or changes as well, according to Trend Micro.

Set by default to stop scripts running on web pages not specifically whitelisted as being trustworthy, NoScript also stops clickjacking attempts by default as well as blocking cross-site-scripting attacks that are one of the most insidious ways of either spreading malware or adding persistent tracking to a particular browser by allowing users to hit a web site that appears to be clean of viruses or adware, but contains scripts that will download and launch malware from other sites while the page is displayed.

It also contains an Applications Boundary Enforcer component designed to prevent malware launching in one browser window from corrupting web apps the user is signed in to, and block cross-site request forgery (CSRF) attacks – an attack similar to CSS except the malicious code is going from the user to a web site rather than the other way around.

The newest version also includes a Click to Play function that keeps any audio or video from running unless the user clicks permission, a Full Protection setting that stops scripts on even trusted sites and a more detailed permissions function that lets users allow Java from each of two sites but block Flash on one, for example, or limit the pages on which particular scripts can run.

The port to Android was tricky because it is both the first version of NoScript to run all its major security features on a mobile OS, according to Giorgio Maone – author of both NoScript and FlashGot, another popular Firefox extension.

That meant completely rewriting internal code that Maone was able to tweak, patch or add on in earlier versions. The result is the opportunity to merge the mobile and desktop versions of NoScript in a more elegantly written, less patchy edition, though the work involved is daunting, according to Maone's blog entry announcing NoScript 3.0a8 for mobile devices.

Two major feature additions: NoScript includes a feature to let users sync their settings between a PC and mobile device, or among mobiles. It also downloads and installs updates without forcing a restart of the browser – making it much more of a fire-and-forget experience for users, at least those who use Firefox Sync – an add-on that has been merged into the base code of Firefox to make it easier to sync history, bookmarks, passwords and open URLs between devices, connecting through Mozilla's synchronization servers.

The desktop and mobile versions of NoScript are free, but Maone is happy to take donations from either the NoScript download site or his blog.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon