NoScript security tool released for Android, Maemo

The mobile version of the Firefox extension includes protection for cross-site scripting attacks and clickjacking

The developer of the widely used Firefox extension NoScript has released a version for the Android and Maemo operating systems.

NoScript is a security tool that can be used to block the execution of JavaScript, Java, Flash, and plugins by websites that are viewed as being potentially malicious. Many Web-based attacks on computers are initiated by JavaScript.

[ Learn how to manage iPads, iPhones, Androids, BlackBerrys, and other mobile devices in InfoWorld's 20-page Mobile Management Deep Dive PDF special report. | Keep up on key mobile developments and insights via Twitter and with the Mobile Edge blog and Mobilize newsletter.

NoScript's developer, Giorgio Maone, wrote on his blog on Saturday that porting the application for Firefox on Android and Maemo was not easy, as it was a full rewrite of the extension, and "there's still a lot of work ahead."

The mobile version, called NoScript 3.0a8, includes protection against cross-site scripting attacks, in which a script drawn from another website is allowed to run that shouldn't. Cross-site scripting can allow an attacker to steal information or potentially cause other malicious code to run.

It also can block "clickjacking," another kind of attack where a user is tricked into clicking on certain parts of a Web page with hidden buttons that perform malicious actions. Those hidden buttons are delivered by an invisible iframe, which is a window that brings other content into the target website.

In 2008, researchers Robert Hansen and Jeremiah Grossman discovered a clickjacking attack involving Adobe Systems' Flash application that could give remote access to a victim's Web camera and microphone.

There are around 1,000 pieces of malware circulating for mobile devices, which pales in comparison to malware built for Windows desktop operating systems. But security analysts predict that mobile phones will increasingly be attacked for the sensitive data stored on the devices.

The NoScript mobile version shares many of the same functions as the desktop one. For example, users can built an "easy blacklist," where they select untrusted sites on which JavaScript and plugins should be blocked. Another option is the "classic whitelist," where sites that are trusted are added to a list that NoScript doesn't block.

Maone wrote that NoScript does not require the browser to be restarted after updates are installed, which "means that hot fixes for new security threats can be deployed in a more effective, timely, and convenient way."