October 18, 2011, 3:48 PM — A version of the wildly popular, free, open-source Firefox extension NoScript, which is designed to stop potentially harmful scripts written in Java, Flash and other browser plugins from running without the user's permission, has been released to do the same for Firefox on Android smartphones and tablets.
NoScript is one of half a dozen security and privacy apps consistently cited as a must-have extention by both users and security experts.
Android is currently the hottest target on the market for malware writers, but has far fewer security and anti-virus apps designed for it than Windows. That, combined with the amount of information routinely collected and badly protected by Android apps, and the unpredictable levels of risk or secure networks available where Android users wander, makes any creditable security app for Android worth a look.
The first bit of malicious software specifically written for smartphones was aimed at Android, according to researchers at Trend Micro, who found it earlier this month. Rootkits, viruses aimed at applications, malicious Java scripts and other general-purpose malware can often attack a device running Android without any special customization or changes as well, according to Trend Micro.
Set by default to stop scripts running on web pages not specifically whitelisted as being trustworthy, NoScript also stops clickjacking attempts by default as well as blocking cross-site-scripting attacks that are one of the most insidious ways of either spreading malware or adding persistent tracking to a particular browser by allowing users to hit a web site that appears to be clean of viruses or adware, but contains scripts that will download and launch malware from other sites while the page is displayed.
It also contains an Applications Boundary Enforcer component designed to prevent malware launching in one browser window from corrupting web apps the user is signed in to, and block cross-site request forgery (CSRF) attacks – an attack similar to CSS except the malicious code is going from the user to a web site rather than the other way around.
The newest version also includes a Click to Play function that keeps any audio or video from running unless the user clicks permission, a Full Protection setting that stops scripts on even trusted sites and a more detailed permissions function that lets users allow Java from each of two sites but block Flash on one, for example, or limit the pages on which particular scripts can run.