Mobile
News
12/6/2012
01:28 PM
Connect Directly
RSS
E-Mail
50%
50%

Blame Screen Size: Mobile Browsers Flunk Security Tests

More than 90% of mobile device browsers now in use failed safety checks, find Georgia Tech researchers.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
The browsers used in the vast majority of mobile devices -- including both smartphones and tablets -- suffer from a safety flaw: They make it difficult for even information security experts to know when they're engaging in risky browsing behavior.

That finding comes from a study published earlier this year that examined whether mobile browsers provided clear security or risk cues. The research was conducted by Chaitrali Amrutkar and Patrick Traynor, respectively a Ph.D. student and assistant professor at the computer science school at Georgia Tech, as well as Paul C. van Oorschot, a cryptographer and computer security researcher at Carleton University in Canada. Amrutkar presented the findings at the Information Security Conference held earlier this year in Passau, Germany, where it won her a "best student paper" award. The paper recently was published in the conference proceedings.

For their study, the researchers tested 10 mobile and two tablet browsers -- which collectively comprise over 90% of the mobile browser market share used in the United States -- as well as the top five desktop browsers, to see how well they complied with the World Wide Web Consortium (W3C) "Web Security Experience, Indicators and Trust: Scope and Use Cases" guidelines published in 2008. They also acknowledged that their study involved a best-case scenario: users bothering to care. "The goal of this work is not to determine if average users take advantage of such cues, but instead to demonstrate that such indicators are lacking and thus fail to provide sufficient information for even experts," they said.

[ Read iPhone, iPad Email Attack Could Compromise Routers. ]

What they found is that by and large, the browsers running on mobile devices, including tablets, failed to comply with the W3C's recommendations. "Whereas desktop browsers largely conform to these guidelines, mobile and tablet browsers fail to do so in numerous instances," they said. "We believe that this makes even expert users subject to attacks including an undetectable man-in-the-middle [attack]."

One of the principle vulnerabilities they identified was the failure of most mobile browsers to consistently display "mobile security indicators." As a result, "many of the clues experts instruct average users to look for can no longer be reliably found on these platforms," said the study. Particularly lacking were any indications that a site was legitimate, or that SSL was being used to secure communications, which is typically indicated by the presence of a green padlock icon. Such indicators can help users see at a glance if they're visiting a lookalike site that's been cooked up as part of a phishing attack.

Blame the missing security indicators in part on screen size. "The combination of reduced screen space and an independent selection of security indicators not only make it difficult for experts to determine the security standing of mobile browsers, but actually make mobile browsing more dangerous for average users as they provide a false sense of security," said the researchers.

"We understand the dilemma facing designers of mobile browsers, and it looks like all of them tried to do the best they could in balancing everything that has to fit within those small screens," said Georgia Tech researcher Traynor, in a statement. "But the fact is that all of them ended up doing something just a little different -- and all inferior to desktop browsers."

That helps explain other research showing that "mobile browser users are three times more likely to access phishing sites than users of desktop browsers," said George Tech researcher Amrutkar, in a statement. "Is that all due to the lack of these SSL indicators? Probably not, but giving these tools a consistent and complete presence in mobile browsers would definitely help," he said.

Now extend those findings to Windows 8. Although the researchers didn't study the new operating system, security experts have criticized the tablet-centric Modern -- formerly known as Metro -- interface for sacrificing important security cues. Given the extent to which most phishing attacks today target Windows users, the cleaner user interface might come at a security cost for Windows 8 users.

Faster networks are coming, but security and monitoring systems aren't necessarily keeping up. Also in the new, all-digital Data Security At Full Speed special issue of InformationWeek: A look at what lawmakers around the world are doing to add to companies' security worries. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Messany
50%
50%
Messany,
User Rank: Apprentice
12/8/2012 | 8:27:19 PM
re: Blame Screen Size: Mobile Browsers Flunk Security Tests
Browsers, apps, ad networks - a lot of players in mobile have their hands in this mobile security crisis we keep reading about. But you can't fail to recognize how more and more efforts are being taken to reverse this trend. Little by little, browsers will getting more secure and mobile apps will get the malware stripped out of them (as long as mobile ad networks, for one, start filtering out the garbage they spread). I have a lot of respect for Airpush in this regard. They set a new standard for responsibility when they teamed with Appthority to help reduce the threat of mobile malware. I want to see more headlines like that from other companies and ad networks in this industry http://blog.airpush.com/how-ai...
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 24, 2014
Start improving branch office support by tapping public and private cloud resources to boost performance, increase worker productivity, and cut costs.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.