Escolar Documentos
Profissional Documentos
Cultura Documentos
Chaitrali Amrutkar
Georgia Institute of Technology
Georgia Tech Information Security Center (GTISC)
1
implementation of mechanisms for securing mobile web bile browsers bear the name of related desktop applica-
browsing. We argue that mobile web differs significantly tions, their internal components are significantly differ-
from the desktop web and thus demands independent ent. The impact of these changes on security has not pre-
evaluation and new techniques to protect sensitive infor- viously been evaluated. Given the popularity of brows-
mation. Based on our security evaluation of the majority ing on mobile devices [12, 21], focusing on the security
of popular mobile browsers and a large-scale analysis of of mobile browsers is critical.
mobile websites, we propose the following thesis state- We perform the first large-scale security comparison
ment: between mobile and desktop browsers. We focus on the
issues of display security due to the screen constraints
Limited display and blind adoption of desktop of mobile devices. Given the often crowded layout of
browser software, coupled with the paucity of mobile spe- mobile webpages, we specifically investigate the behav-
cific techniques to detect malicious websites expose cur- ior of overlapping HTML elements (and how browsers
rent mobile browser users to a range of attacks. Mecha- handle clicks - i.e., “user event routing”), behavior at
nisms designed and developed specifically for the mobile the boundaries between non-overlapping items (“bound-
environment and functionality; outperform existing tech- ary control”) and the impact of nonpersistent availabil-
niques built for desktop. ity or complete absence of the address bar. We apply
blackbox analysis across ten mobile, three tablet and five
desktop browsers. We identify previously unknown erro-
2.1 Contributions
neous policies in user event routing and boundary control
This dissertation presents three main contributions. First, and implement multiple attacks that demonstrate their se-
we show that porting browsers to mobile platforms leads riousness including display ballooning, login CSRF and
to new vulnerabilities previously not observed in desk- clickjacking. Even though many mobile browsers rely
top browsers. The solutions to these vulnerabilities re- on the same rendering engines as their desktop counter-
quire careful balancing between usability and security parts, our experiments demonstrate that mobile browsers
and might not always be equivalent to those in desktop are vulnerable to attacks not previously seen in the desk-
browsers [9]. Second, we empirically demonstrate that top space. We present solutions to address the new vul-
the combination of reduced screen space and an inde- nerabilities. We then discover a third class of vulnerabil-
pendent selection of security indicators not only make ity resulting from a clash between considerations made
it difficult for experts to determine the security standing for usability in mobile browsers and a universally im-
of mobile browsers, but actually make mobile browsing plemented display policy, demonstrating that making us-
more dangerous for average users as they provide a false ability considerations while creating mobile software is
sense of security [11]. In our third and final contribution, crucial and blind porting of traditional browser code to
we design and implement a fast and reliable mechanism mobile devices can introduce unexpected vulnerabilities.
that distinguishes between malicious and benign mobile Table 1 summarizes our findings.
webpages. Our analysis demonstrates that the discovered vulner-
abilities are not isolated bugs; rather, they are pervasive
and affect all but one of the most popular mobile and
3 Overview tablet browsers in some capacity. Moreover, we argue
that because an increasing number of apps rely on mobile
3.1 Measuring Systemic Weaknesses in Mobile browsers, that these issues are relevant to all mobile app
Browser Security developers. Our results are the first comprehensive study
in display security and they provide strong evidence that
Modern mobile browsers now build on the same or sim- the security of mobile browsers has taken steps backward
ilarly capable rendering engines used by many desktop when compared to desktop browsers.
browsers [7, 6]. Mobile browsers are so capable that,
through APIs such as WebViews, many of the most pop-
ular mobile apps (e.g., Facebook, ESPN) act as wrap-
3.2 An Empirical Evaluation of SSL Indicators
pers for the browser pointed to specific webpages. How-
in Mobile Browsers
ever, due to limitations in the screen real estate and mem-
ory, existing desktop browser software was not directly Mobile browsers are increasingly being relied upon to
ported to mobile devices. Accordingly, while many mo- perform security sensitive operations. Like their desktop
2
Attacks
Vulnerability - Vulnerability - Vulnerability -
Incorrect handling of Cross-origin tenant Inconsistent
Type Rendering Browser Name user access to modifying self view of
Engine overlapping elements dimensions address bar
Click fraud, Login CSRF, Display Ballooning:
Phishing
User Interaction Interception Phishing, Password Stealing
Android X X X
Blackberry Webkit X
Webkit Chrome Beta
iPhone Safari X X
Nokia Mini-Map X X
Mobile
Opera Mini X X X
Presto
Opera Mobile X X
Gecko Firefox Mobile X
Mango Blackberry Mango X
Trident Internet Explorer X
Android on Xoom X X
Tablet Webkit Android on Galaxy X
Safari on iPad X
Presto, Opera,
Desktop Gecko, Firefox,
Webkit Safari, Chrome,
Trident Internet Explorer
Table 1: Summary of observed display-related vulnerabilities in candidate browsers and respective attacks possible
(A Xdepicts that attack is possible). 1) Equivalent vulnerabilities exist in mobile and tablet browsers with different
rendering engines. 2) Mobile, tablet and desktop browsers from the same vendor do not necessarily implement the
same code to handle display elements in different settings. 3) Desktop browsers are more compliant with security
policies for display.
counterparts, these applications can enable SSL/TLS to forward by the W3C for user interface security [2] as
provide strong security guarantees for communications a proxy for best practices. In particular, we systemati-
over the web. In spite of the availability of SSL/TLS, cally measure which browsers strictly conform to the ab-
mobile users are regularly becoming the target of mali- solute requirements and prohibitions of this document.
cious behavior. A 2011 report indicates that mobile users We perform our analysis across ten mobile and two tablet
are three times more likely to access phishing websites browsers, representing greater than 90% of the mobile
than desktop users [13]. Security indicators (i.e., certifi- market share [5], and then compare our results against
cate information, lock icons, cipher selection, etc.) in the five most popular desktop browsers.
web browsers offer one of the few defenses against such We find that whereas desktop browsers largely con-
attacks. A user can view different security indicators and form to the W3C guidelines, mobile and tablet browsers
related certificate information presented by the browser fail to do so in numerous instances. We believe that
to offer signals or clues about the credibility of a web- this makes even expert users subject to attacks includ-
site. Although mobile and tablet browsers appear to sup- ing an undetectable man-in-the-middle. Our study also
port similar security indicators when compared to desk- observed tremendous inconsistency in the presentation
top browsers, the reasons behind the increasing number and availability of such indicators in mobile and tablet
of attacks on mobile browsers are not immediately clear. browsers, in contrast to traditional desktop browsers.
We perform the first comprehensive empirical evalu- Figure 1 shows the inconsistency in the indicators on the
ation of security indicators in mobile web browsers. The address bars of the mobile and tablet browsers in our
goal of this work is not to determine if average users take experimental set. Accordingly, many of the clues ex-
advantage of such cues, but instead to demonstrate that perts instruct average users to look for can no longer re-
such indicators are lacking and thus fail to provide suf- liably be found on these platforms. Finally, we find that
ficient information for even experts. This distinction is the Extended Validation (EV) SSL indicators and certifi-
critical because it highlights areas where not even the cates [1, 20, 22] designed to improve assurance of the
best trained users will be able to differentiate between identity of the certificate holder are virtually non-existent
malicious and benign behavior. Rather than an ad hoc in mobile browsers. While this mechanism is not a re-
analysis, we base our study on the recommendations set quirement of the W3C recommendations, its use is perva-
3
Android Mobile Blackberry Mango Blackberry Webkit
Figure 1: Security indicators on the primary interface (address bar) of all the mobile and tablet browsers. Every
browser has three screenshots of the address bar: from top to bottom, the websites are Google over an http con-
nection, Gmail over a secure connection with an SSL certificate and Bank of America over a secure connection with
an EV-SSL certificate.
sive in desktop browsers. Mobile users are unable to de- we as experts cannot express confidence in having suf-
termine if certificates have undergone so-called extended ficient information to take proper decisions making us
validation, and sites using these certificates may be un- susceptible to varying phishing attacks as shown in Ta-
able to justify their significant monetary investment in ble 2. Consequently, we assert that the role of security
them. indicators in mobile browsers offers little more than a
Our measurements and observations from examining false sense of security. The security user interface must
the most widely used mobile browsers lead us to make a therefore either be dramatically improved, to provide in-
number of assertions. (1) Browser designers have been dicators of demonstrable use, or should be considerably
forced by the dramatic reduction in screen space to sac- simplified, to remove unusable, unreliable, or misleading
rifice a number of visual security features. The deter- artifacts. (3) We argue that the current practice of repeat-
mination of which features are the most useful appears edly forcing a user-base that is largely security un-savvy
to have been by independent processes, as reflected in to make subtle security decisions is a losing game. Minor
the different subsets of security indicators implemented tweaks to the wordings of certificate interface dialogues,
across the mobile platforms. (2) Previous studies have for example, may reach a slightly higher local maxima
overwhelmingly demonstrated that average users simply in terms of security improvements, but are highly un-
do not understand security indicators even on desktop likely to attain a more global maxima offering demon-
browsers [18, 15, 25, 16, 17, 23]. Our measurements strably better security. Given the real estate constraints
demonstrate that the display of security indicators on mo- of the increasingly dominant mobile platforms, our ev-
bile platforms are considerably worse, to the extent that idence shows that this current practice has actually re-
4
y
it
go
ax
k
an
eb
al
2
ile
ad
W
M
ile
G
ri
a
ob
et
fa
iP
i
ob
on
rry
rry
in
eB
le
Sa
n
M
i
id
id
be
be
io
ob
ox
m
ne
ro
ro
ia
ra
ra
k
r
M
ro
f
ac
ac
ho
fa
nd
ok
nd
pe
pe
re
Ch
Sa
Attacks
Bl
Bl
IE
Fi
iP
A
A
Phishing without SSL × · · · · · · · · · · ·
Phishing with SSL · × · · · × · × × × × ·
Phishing using a
compromised CA
· × · · · × · × × × × ·
Industrial espionage/ × × × × × × × × × × × ×
Eavesdropping
Table 2: Summary of potential attacks on candidate mobile browsers. A × implies that the attack is possible. A ·
implies that the corresponding attack is not possible on the browser.
5
References [13] M. Boodaei. Mobile users three times more vulnera-
ble to phishing attacks. http://www.trusteer.
[1] Guidelines For The Issuance And Management Of Ex- com/blog/mobile-users-three-times-more-
tended Validation Certificates, version 1.3. http: vulnerable- phishing-attacks, 2011.
//www.cabforum.org/Guidelines_v1_3.pdf,
[14] S. Choney. Mobile browser woes can fool even experts: report.
November 20 2010.
http://www.nbcnews.com/technology/mobile-
[2] W3C: Web Security Context: User Interface Guidelines. browser-woes-can-fool-even-experts-
http://www.w3.org/TR/wsc-ui/, August 2010. report-1C7451203, Dec 2012.