WEBSITE AND SMARTPHONE SECURITY: TAPJACKING,
FRAMING, AND GEO-LOCALIZATION ATTACKS
1
1
NIAN NAJM ABDULLAH
Network Department, Sulaimani Polytechnic University, Iraq
E-mail: 1nian.najim@spu.edu.iq
ABSTRACT
The research article discusses tap-jacking, router attacks and the concept of geo-localization. Certain issues,
as well as significance and approaches of the topics, have been discussed. Amidst all the approaches it was
found that frame busting by X-FRAME options as well as using JavaScript has been found to be the most
effective. Attacks on routers, mobile phones have been discussed with suitable recommendations and
examples.
Keywords: web security, tap-jacking, website router attacks, geo-localization, X-FRAME
1.
INTRODUCTION
The aim of the research article is to
understand the issues and challenges in the website
and online security and the way routers and smart
phones are changing the way people communicate
over a larger network of servers. Along with the
advance of internet and information technology, the
issue of attacks also comes into the forefront. These
attacks are mostly virtual but they have the ability to
affect a larger area of internet and computer
networks. It has often been observed that the way
people behave over the internet leaves them
vulnerable to attacks which can cause losses of
millions of currencies and render most internet
servers susceptible to dangers from potential phishes
and hackers.
fake passwords. Geo-localization attack happens
when the WIFI password of both the router and the
Smartphone hotspot gets affected by any malicious
threat.
As the online world has virtually shrunk into the
palm of our hands, there have been instances when
the framing packets, as well as routers through which
the data is transferred over layers in devices and
servers, are the most affected. The concept of tapjacking and geo-localization attacks have been
intriguing the Smartphone and home routers for long.
Tap-jacking refers to the screen overlays on
Smartphone’s which have the ability to gain
important information and enable users to ‘tap’ onto
Website framing attacks are one of the most
serious issues that need to be evaluated and resolved
to gain better internet security. Most of the
vulnerable attacks that occur on websites are termed
as click jacking. The framing attacks thus happen
when there is a malicious website frame opens and
the victim is tempted to click or open in the browser.
This actually processed during iframing of the
websites, which allows external malicious sources to
be embedded in HTML source (Marforio et al.,
Keeping location history on and through the tracking
of GPS, such attacks are carried out by hackers and
potential online villains. Therefore, through this
research article, the issues of framing attacks on
website security, tap jacking on android phones and
geolocation vulnerabilities are to be discussed with
the proper approach, results, methods, and examples.
2.
1
THE ISSUE & RELATED WORKS
2016). This issue can seriously hamper the
connectivity to the internet and thus loading of the
websites. The user will face multiple issues on
opening the malicious frame which in turn will give
access to the hacker to have control over the website
user logging in.
Thus the hackers are now well aware that injecting
the frame lining or frame busting is only applicable
or possible with any recently launched iphones and
Android Smartphone and will have no impact on the
older phones. The frame busting or even Geolocalization techniques can only be accessed on
Android-based Smartphone, so cyber security
should be highly encrypted and protected for such
attacks.
Rather than click jacking, tap-jacking in mobile
handsets also have devastating effects. Tap-jacking
not only get access to the Smartphone browser, but
it can also have more impacts on the total security of
the internet connectivity on the Smartphone.
Website linking and framing allows the user to view
and access the contents of other websites, thus it is
surely avoiding the legal laws and trademarks of the
other websites (Wu et al., 2016). Every websites and
internet communication links have their own
certification and copyrights which cannot be
misused or mishandled in any way. The routers we
use in the home actually act as a dumb router as
because they have no internal protection technique
which can be helpful on framing attacks.
Wi-Fi routers that are used these days vulnerable to
the UI redressing attacks mainly the tap-jacking
which can expose the secret WPA key of the router
and enable the hacker to have access on the same
wifi router. Several approaches have been taken to
ensure that the cyber security system prevents such
malicious activities. Opera Mini is a JavaScript
enabled mobile access browsers but still, there is
very less chance to steal the contents of the browser
by any external means mainly reflecting the XSS
attacks (Felt et al., 2016). Stealing or hacking via
internet sources or even by application
implementing is always illegal and thus every single
person should know the impact of being exposed on
another computer without their permissions.
Thus the victim routers face a number of challenges
in addressing malicious attacks that are taking place
in the routers. The most common issue that our home
routers will face is surely the location processing
system of the victim's which is termed as the Geolocalization attacks. The Geo-localization attacks are
not happening only on home-based routers, it has a
significant impact on smart phones as well. The
smart phones also have the common GPS location
application which can be used and hacked by UI
redressing technique high to gain access to the
victim's area easily. Graphical inlining is also a
major issue which actually occurs when the hackers
insert any link to hack the webpage of a user.
Websites are the major storefront and the most
effective communication with the customers for any
business bodies. Thus, the lack of awareness in the
webpage security could lead others to manipulate
their webpage with vulnerable applications. The
importance of website security is reflected in every
stage of the article above and the methods are clearly
discussed in the article effectively.
4.
This helps the hacker to view graphical content of
the victim’s webpage as well. These attacks thus
allow one to have full access on any website and
even Smartphone of any user, which can be even a
high authorized body of the nation as well.
3. THE PAPER
SIGNIFICANCE
CONTRIBUTINO
THE APPROCHE OF THE SOLUTION
Recent studies of popular websites show that only a
few of the websites use frame busting methods to
protect themselves from any kind of framing attacks.
The research article studies the approach of framing
attacks on mobile phones, precisely Smartphone,
and routers of home users. It is observed after
studying the approach that Smartphone and home
routers are more susceptible to attacks from
malicious sources more than public domains or
regular web browsers. It is also discussed how
Facebook and a few other known social sites have
adopted approaches to protect them from framing
vulnerabilities but in another way they leak user
information, thus attacking the very base of privacy
(Niemietz & Schwenk, 2017).
AND
The issues of tap-jacking and geo-localization will
always have a devastating impact on current website
security. Since the evolution of the Smartphone, the
JavaScript enabled system was not processed. The
absence of JavaScript embedding actually helps that
the Smartphone remain protected from frame
busting and other attacks (San Lim et al., 2016).
2
The recent approaches which have been used to
protect websites and social sites from tap-jacking
and geolocation attack are frame busting. Although
most of the websites rarely use this technique, frame
busting is known to help websites from getting
attacked. Frame busting technique can be enabled by
a simple JavaScript technique but the catch is it will
not work if users have their JavaScript disabled.
Using X-FRAME options and denying attributes via
internet explorer can help in removing framing
vulnerabilities. Although the X-FRAME approach is
highly effective in removing the framing mishaps
through HTTP responses like DENY and
SAMEORIGIN, it has certain limitations as well
(Niemietz & Schwenk, 2017).
5.
EXPECTED RESULTS
The expected results for the survery and approaches
undertaken for prevention of tap-jacking and
geolocation attacks are several. Over time, as
information technology and communication gaps
have been reduced. The vulnerabilities have been
severe in online networks and servers. These
attackes range from ransomware, phishing, and
crypto currency attacks, to malicious hacking of
government and private sector websites. Not even
Facebook, which is the largest social media
netowkring site, could prevent itself from bening
framed and hacked. Although facebook adopted a
frame busting defence by placing a transparent ‘Div
tag’ over the page which caused the top window to
load to the main site, attackers might still gain
private information about the users by removing the
headers and framing a fake web address (Luo et al.,
2017).
The limitations are as follows:
• If the person is not using any frames, then this
approach will not work.
It was observed that fourteen per cent of the top
websites ranked under the Alexa ranking engage in
a certain kind of frame busting which protects them
from tap-jacking and geolocational attacks. The
problem is the frame busting is used only in desktop
sites and not in mobile sites. In mobile sites, tap
jacking requires a browser, frames, and JavaScript to
work efficiently (Possemato et al., 2018).
• The policy for frame busting needs to be specified
for each web page when logged in from a webbrowser. The step can complicate issues and there
should be a mechanism which provides frame
busting for the complete site.
• Proxies are infamously known for removing and
adding HTTP headers. If any web-based proxy
removes the X-FRAME options then it becomes
susceptible to attacks.
The Android web browser is a prime target for tap
jacking as it has opacity, scaling, Meta tags, and
IFrames which makes it susceptible to attacks from
malicious groups or individuals. Surprisingly, it was
seen that Opera mini had defence from tap jacking
or geolocational attacks even after having JavaScript
and frames as it uses a proxy system which renders
web pages faster. It was seen that even traditional
click jacking was not possible on Opera mini. Tap
jacking through toast view was more or less not seen
as the attacker is not able to redress the user interface
(Alepis & Patsakis, 2017).
• If the sites have multiple domains and hostnames,
then it has to be white listed so that the frames could
be protected. Currently, there are no resources for
white listing domain names, and therefore the user
has to use different domain names each time he or
she is logged in.
Other approaches used to test attacks on websites
and Smartphone used by researchers are the use of
the scrolling technique where certain hash tags were
used to expose the information of the framed
webpage. Using dynamic scrolling and turning off
navigation, attackers generally engage in tapjacking. Use of JavaScript enables the attacked
frame to be busted but the problem is in many cases
there have been several bugs and lacks in the
JavaScript code which has made privacy issues a
concern. Geolocation attacks can be prevented by
removing location history and not granting location
permissions to applications from unknown sources
(AlJarrah & Shehab, 2016).
6. MATERIALS AND METHODS TO SOLVE
THE ISSUE
The Internet is important in the world, but it can be
dangerous in many ways. Nowadays, lots of
financial dealings are networked and communicated
with the use of internet platforms. Cyber security
thus will be on focus for the reason to prevent any
unwanted authorization of third-party users, who can
create a severe problem in the overall
communication. The most probable reason that
3
internet security is under checking is the hacking of
the important from internet websites of many
business owners thus allowing the hackers to steal
the information and expose the business site in the
public (Napitupulu, 2017).
get an entry for hackers. Even the servers and
networks are not used in these stealing methods, so
the hosts of the sites must ensure high security beside
the developed infrastructure for better functionality
of the website. Content Delivery Network or the
CDN’s are used to accelerate and smooth operations
of the websites and also increases the reliability of
the website (Okhravi et al., 2015). The windows
firewall and various protective shields are
implemented to prevent unwanted malicious
activities on the websites.
To address these issues several effective methods are
used by the business platforms and websites owners
to stop further problems in the process. Mostly,
Framing plays an important role in exposing the
contents and information of the website.
In between framing attacks, and considering
methods of frame busting to prevent tap-jacking,
there is also the issue of protecting home routers and
other mobile and computing devices which function
as part of a larger population who use computer and
internet networks from the comfort of their homes,
and yet they are equally vulnerable to attacks from
malicious hackers and phishes (Gharaibeh et al.,
2017). Routers are susceptible to attacks from XSS
injection and framing which enables the attacker to
detect the physical location of the router and thereby
utilizing the data from there to use in malicious
activities like terrorism or other criminal acts
(Gharaibeh et al., 2017).
Methods used to create barriers in tap-jacking are:
1. URL bar security by hiding: This process was
actually known to have an impact on iPhones, where
it is used to stop other users to track and use the
application debarring the main user consent. The
address of the URL is hidden with a code of a
programme implemented on the address bar of the
victim’s website (Bauer et al., 2016). This process
efficiently prevents from further click jacking the
Smartphone.
2. Frame Busting: This method is a well-known
technique used to prevent framing and click jacking
by hackers on our systems. The method is applicable
to every website where there is a chance of the
website to be loaded on various sub-frames thus
creating a problem for the user. The most effective
way to handle the issue is to disable the JavaScript
on the Smartphone. JavaScript disability helps the
user to encrypt the information and the contents of
the site precisely and does not allow the external
hackers to steal the information easily (Pawade et al.,
2016).
There are seven ways in which routers are vulnerable
to attackers as stated by researchers like Gourdin and
Boneh. The first step involves fingerprinting the
browser used by the behaviour. The lacks or misses
in any web-browser, therefore, needs to be removed
in order to prevent routers from being framed and
attacked by location tracking (Rydstedt, Gourdin,
Bursztein & Boneh, 2010). The methods used by
attackers are advanced and they are less identifiable
therefore, browsers, servers, as well as computing
devices, need to have a foolproof defence
mechanism to protect their privacy from being
leaked out. Scanning the LAN, authenticating its
password and type of key, and then logging in to the
router forms the second, third and fourth steps by
which the router is attacked (Wang & An, 2018).
3. X-frame implications: The Internet Explorer is not
designed with JavaScript inability anymore which is
surely one of the best-modified ways to prevent any
further problem on the website. The procedure helps
in disallowing the frames to open or occur altogether
which is a suitable way to access any information
exchange through the internet these days. Beside of
the Internet Explorer, it is noticeable that the Mozilla
Firefox has also implemented the same techniques
and prevents further click jacking or Framing issues
in the sites.
In the fifth step, the XSS payload is injected into the
router which frames it. The sixth step involves
extracting the wifi address and MAC code and the
last step involves the geo-localization of the router
via Mozilla’s location finding protocol. Improving
security patches, disabling the UPNP component,
introducing a web conscious socket can help in
preventing such attacks. Modern browsers use
updated flash versions that have a web service API
that protects routers from getting geo-localized and
tap jacked (Wang & An, 2018).
4. Better Host Provider: Just like there is always a
requirement of a trusted foundation when building a
house, the Host provider is used to serve the
foundation to the sites for better performance. As of
now, websites are becoming the most vital way to
4
7.
discussion showed that while this protection may
avoid conventional click jacking, it can cause
publicity of personal user information. Traditional
frame busting where applicable is better to use to
prevent frames rendering in several sub frames thus
preventing click jacking. The paper also reflects that
frame rendering can result in WIFI WPA key
insecurities. The hackers use the frame lining and the
XSS to access to the router WPA personal key as
well which enables to easily access to the whole
network and misuse it in the worst possible ways
(Alepis & Patsakis, 2017).
KEY RESULTS
The key results from the overall research article state
that there were certain bugs which rendered android
and iPhones to tap-jacking attacks. It was also
observed by a researcher named Stamm that routers
can give way to cross-site forgeries which can result
in the hacking of a home or office network. It was
also observed that such vulnerabilities were more or
less removed from modern routers which have
improved security and frame busting key. The most
trusted technique to detect the user's login was
measured by a method known as the ‘framing leak’
attack. Also known as a timing attack, these kinds of
attacks interfere with a router’s authentication.
The methods highlighted above in the shows what
approaches are essential and how the website owners
should implement the steps for better protection
strategy. The effect of Geo-location is included to
show how GPS enabled Smartphone are in a
vulnerable position of threats and securities. The
Geo-location allows the hackers to find the victim’s
location and steal the information based on that
location and contents are stolen easily.
Nevertheless, the problem in router arises because of
the same origin policy which does not tell in real
whether a user has been authenticated successfully.
Routers using web forms are susceptible to attacks
from cross-site request forgery. In the case of
geolocation, once the attacker has any IP and MAC
address, even Mozilla’s protocol can be used for
identifying the location of any user’s computing or
mobile device. To protect mobile and computing
devices from getting location attacked, the geotagging option should be kept off. Users should keep
in mind to not share their location over public
networks as well as with unknown and doubtful
applications.
8.
9.

SUMMARY AND CONCLUSION

This paper reflects a noteworthy susceptibility in
Smartphone websites that is effortlessly resolved by
counting frame busting technique in these websites.
Smartphone and systems that are not implemented
with frame busting are in a serious position of
vulnerability and malicious activities on the sites.
The Internet is the most popular mode of business
and communication is in high risks of security these
days. The business owners and the site owners
should ensure their sites are well encrypted and
protected so that external hackers cannot access their
sites in any way. In the paper above we have
elaborated the threats of tap-jacking and its
consequences on the websites and Smartphone with
today's technology (Wang & An, 2018).


It can be said from the above discussion that frame
busting is highly recommended to the websites for
better protection and avoid iframing of the sites. The

5
REFRENCES:
Bauer, K. S., Hobson, T., Okhravi, H., Roberts,
S. C., & Streilein, W. W. (2016). A Study of
Gaps in Defensive Countermeasures for Web
Security. MIT Lincoln Laboratory Lexington
United States.
Felt, A. P., Reeder, R. W., Ainslie, A., Harris,
H., Walker, M., Thompson, C., ... & Consolvo,
S. (2016). Rethinking connection security
indicators. In Twelfth Symposium on Usable
Privacy and Security ({SOUPS} 2016) (pp. 114).
Gharaibeh, M., Shah, A., Huffaker, B., Zhang,
H., Ensafi, R., & Papadopoulos, C. (2017,
November). A look at router geolocation in
public and commercial databases. In
Proceedings of the 2017 Internet Measurement
Conference(pp. 463-469). ACM.
Luo, M., Starov, O., Honarmand, N., &
Nikiforakis, N. (2017, October). Hindsight:
Understanding
the
evolution
of
ui
vulnerabilities in mobile browsers. In
Proceedings of the 2017 ACM SIGSAC
Conference on Computer and Communications
Security (pp. 149-162). ACM.
Marforio, C., Masti, R. J., Soriente, C.,
Kostiainen, K., & Capkun, S. (2016, October).










Hardened setup of personalized security
indicators to counter phishing attacks in mobile
banking. In Proceedings of the 6th Workshop on
Security and Privacy in Smartphones and
Mobile Devices (pp. 83-92). ACM.
Napitupulu, D. (2017). Analysis of Factors
Affecting The Website Quality (Study Case:
XYZ University). International Journal on
Advanced
Science,
Engineering
and
Information Technology, 7(3), 792-798.
Okhravi, H., Hobson, T. R., Roberts, S. C.,
Streilein, W. W., & Bauer, K. (2015). A Study
of Gaps in Defensive Countermeasures for Web
Security (No. 1196). MIT Lincoln Laboratory
Lexington United States.
Possemato, A., Lanzi, A., Chung, S. P. H., Lee,
W., & Fratantonio, Y. (2018, October).
ClickShield: Are You Hiding Something?
Towards Eradicating Clickjacking on Android.
In Proceedings of the 2018 ACM SIGSAC
Conference on Computer and Communications
Security (pp. 1120-1136). ACM.
San Lim, Y., Heng, P. C., Ng, T. H., & Cheah,
C. S. (2016). Customers' online website
satisfaction in online apparel purchase: A study
of Generation Y in Malaysia. Asia Pacific
Management Review, 21(2), 74-78.
Wang, J. H., & An, C. (2018). A study on
geographic properties of internet routing.
Computer Networks, 133, 183-194.
Rydstedt, G., Gourdin, B., Bursztein, E., &
Boneh, D. (2010, August). Framing attacks on
smart phones and dumb routers: tap-jacking and
geo-localization attacks. In Proceedings of the
4th USENIX conference on Offensive
technologies (pp. 1-8). USENIX Association.
Pawade, D., Reja, D., Lahigude, A., & Johri, E.
(2016, January). Implementation of extension
for browser to detect vulnerable elements on
web pages and avoid Clickjacking. In 2016 6th
International Conference-Cloud System and Big
Data Engineering (Confluence) (pp. 226-230).
IEEE.
AlJarrah, A., & Shehab, M. (2016, June).
Maintaining user interface integrity on android.
In 2016 IEEE 40th Annual Computer Software
and
Applications
Conference
(COMPSAC)(Vol. 1, pp. 449-458). IEEE.
Wu, L., Brandt, B., Du, X., & Ji, B. (2016,
October). Analysis of clickjacking attacks and
an effective defense scheme for android
devices. In 2016 IEEE Conference on
Communications and Network Security (CNS)
(pp. 55-63). IEEE.


6
Alepis, E., & Patsakis, C. (2017, September).
Trapped by the ui: The android case. In
International Symposium on Research in
Attacks, Intrusions, and Defenses (pp. 334354). Springer, Cham.
Wang, Z., Chen, Y., Wen, H., Zhao, L., & Sun,
L. (2017, September). Discovering Routers as
Secondary Landmarks for Accurate IP
Geolocation. In 2017 IEEE 86th Vehicular
Technology Conference (VTC-Fall) (pp. 1-5).
IEEE.
Niemietz, M., & Schwenk, J. (2017,
November). Out of the Dark: UI Redressing and
Trustworthy
Events.
In
International
Conference on Cryptology and Network
Security (pp. 229-249). Springer, Cham.