Towards Secure Web Browsing on Mobile Devices

Chaitrali Amrutkar
Georgia Institute of Technology
Georgia Tech Information Security Center (GTISC)

1 Introduction expose mobile users to attacks. For example, a delayed

The Web is becoming more accessible by portable, multi-
touch wireless devices. With current growth rates, web
access from mobile devices is likely to exceed web
access from desktop computers by 2014 [4]. Both
platform-specific applications (native apps) and browser-
based applications (web apps) enable mobile device users
to perform security sensitive operations such as online
purchases, bank transactions and accessing social net-
works. However, the distinction between native apps
and web apps on mobile devices is increasingly being
blurred [10]. Many popular native applications, such
as Facebook, depend on browser-like components (e.g.,
Webview) for their functionality. Moreover, as HTML5
becomes universally deployed and mobile web apps di-
rectly take advantage of device features such as the cam-
era, microphone and geolocation, the difference between
native and web apps will vanish almost entirely. A re-
cent study of smartphone usage [3] shows that more peo-
ple (81%) browse the Web than use native apps (68%)
on their phone. This trend and the prevalence of web
browsers on modern mobile phones, represent a major
vulnerability that can be exploited by existing and emerg-
ing threats. Although a range of studies have focused on
the security of native apps on mobile devices, efforts in
characterizing the security of web transactions originat-
ing at mobile browsers are limited.
Modern mobile browsers now provide a rich set of
features and also build on the same or similarly capa-
ble rendering engines used by many desktop browsers.
In spite of this, the mobile Web differs from the desk-
top Web in several ways. The limited display and in-
put capabilities of mobile devices require careful balanc-
ing between usability and security when designing se-
curity solutions. Accordingly, adopting equivalent solu-
tions from the desktop browsers into the mobile space 2 Thesis Statement
might not work well. Unlike the desktop environment,
individual applications cannot push updates to a mobile The goal of this thesis is to investigate the factors affect-
phone directly and the delay of updating software may ing security of the mobile web to improve the design and
browser update for removal of compromised CA certifi-
cates may enable phishing attacks. Yet another difference
is incomplete mobile specific standards for web security.
This may lead to independent, incomplete and inconsis-
tent selection of security features across different mobile
browsers and potentially harm users. Finally, webpages
built for mobile platforms differ significantly from their
desktop counterparts in content, layout and functional-
ity. Accordingly, existing techniques to detect malicious
websites are unlikely to work for mobile specific web-
pages. These disparities in the mobile and desktop web
necessitate investigating the challenges in securing mo-
bile browsing separately.
To begin the effort of making the mobile browsing
environment secure, it is essential to understand the state-
of-the-art of security in mobile browsers, and analyze the
similarities between desktop and mobile browsers. This
analysis can assist browser vendors with decisions of
reusing security features from the desktop environment
into the mobile environment to avoid duplication of ef-
fort. Browser vendors can also evade repeating already
solved errors in the desktop browsers in their mobile ver-
sions. Second, it is vital to understand the similarities and
differences across the diverse browser software on popu-
lar mobile platforms. This evaluation can provide insight
into the security impact of similar vulnerabilities in web
browsers built by different vendors. Furthermore, iden-
tifying similarities between different browsers can facil-
itate formulating mobile specific standards for prevalent
security problems. Finally, building reliable mobile spe-
cific mechanisms that distinguish between malicious and
benign webpages will protect users from accidentally ac-
cessing harmful websites.

1
implementation of mechanisms for securing mobile web
browsing. We argue that mobile web differs significantly
from the desktop web and thus demands independent
evaluation and new techniques to protect sensitive infor-
mation. Based on our security evaluation of the majority
of popular mobile browsers and a large-scale analysis of
mobile websites, we propose the following thesis state-
ment:
Limited display and blind adoption of desktop
browser software, coupled with the paucity of mobile spe-
cific techniques to detect malicious websites expose cur-
rent mobile browser users to a range of attacks. Mecha-
nisms designed and developed specifically for the mobile
environment and functionality; outperform existing tech-
niques built for desktop.
2.1 Contributions
This dissertation presents three main contributions. First,
we show that porting browsers to mobile platforms leads
to new vulnerabilities previously not observed in desk-
top browsers. The solutions to these vulnerabilities re-
quire careful balancing between usability and security
and might not always be equivalent to those in desktop
browsers [9]. Second, we empirically demonstrate that
the combination of reduced screen space and an inde-
pendent selection of security indicators not only make
it difficult for experts to determine the security standing
of mobile browsers, but actually make mobile browsing
more dangerous for average users as they provide a false
sense of security [11]. In our third and final contribution,
we design and implement a fast and reliable mechanism
that distinguishes between malicious and benign mobile
webpages.
3 Overview
3.1 Measuring Systemic Weaknesses in Mobile
Browser Security
Modern mobile browsers now build on the same or sim-
ilarly capable rendering engines used by many desktop
browsers [7, 6]. Mobile browsers are so capable that,
through APIs such as WebViews, many of the most pop-
ular mobile apps (e.g., Facebook, ESPN) act as wrap-
3.2 An Empirical Evaluation of SSL Indicators
pers for the browser pointed to specific webpages. How-
in Mobile Browsers
ever, due to limitations in the screen real estate and mem-
ory, existing desktop browser software was not directly Mobile browsers are increasingly being relied upon to
ported to mobile devices. Accordingly, while many mo- perform security sensitive operations. Like their desktop
2
bile browsers bear the name of related desktop applica-
tions, their internal components are significantly differ-
ent. The impact of these changes on security has not pre-
viously been evaluated. Given the popularity of brows-
ing on mobile devices [12, 21], focusing on the security
of mobile browsers is critical.
We perform the first large-scale security comparison
between mobile and desktop browsers. We focus on the
issues of display security due to the screen constraints
of mobile devices. Given the often crowded layout of
mobile webpages, we specifically investigate the behav-
ior of overlapping HTML elements (and how browsers
handle clicks - i.e., “user event routing”), behavior at
the boundaries between non-overlapping items (“bound-
ary control”) and the impact of nonpersistent availabil-
ity or complete absence of the address bar. We apply
blackbox analysis across ten mobile, three tablet and five
desktop browsers. We identify previously unknown erro-
neous policies in user event routing and boundary control
and implement multiple attacks that demonstrate their se-
riousness including display ballooning, login CSRF and
clickjacking. Even though many mobile browsers rely
on the same rendering engines as their desktop counter-
parts, our experiments demonstrate that mobile browsers
are vulnerable to attacks not previously seen in the desk-
top space. We present solutions to address the new vul-
nerabilities. We then discover a third class of vulnerabil-
ity resulting from a clash between considerations made
for usability in mobile browsers and a universally im-
plemented display policy, demonstrating that making us-
ability considerations while creating mobile software is
crucial and blind porting of traditional browser code to
mobile devices can introduce unexpected vulnerabilities.
Table 1 summarizes our findings.
Our analysis demonstrates that the discovered vulner-
abilities are not isolated bugs; rather, they are pervasive
and affect all but one of the most popular mobile and
tablet browsers in some capacity. Moreover, we argue
that because an increasing number of apps rely on mobile
browsers, that these issues are relevant to all mobile app
developers. Our results are the first comprehensive study
in display security and they provide strong evidence that
the security of mobile browsers has taken steps backward
when compared to desktop browsers.
 Attacks
Vulnerability - Vulnerability - Vulnerability -
Incorrect handling of Cross-origin tenant Inconsistent
Type Rendering Browser Name user access to modifying self view of
Engine overlapping elements dimensions address bar
Click fraud, Login CSRF, Display Ballooning:
Phishing
User Interaction Interception Phishing, Password Stealing
Android X X X
Blackberry Webkit X
Webkit Chrome Beta
iPhone Safari X X
Nokia Mini-Map X X
Mobile
Opera Mini X X X
Presto
Opera Mobile X X
Gecko Firefox Mobile X
Mango Blackberry Mango X
Trident Internet Explorer X
Android on Xoom X X
Tablet Webkit Android on Galaxy X
Safari on iPad X
Presto, Opera,
Desktop Gecko, Firefox,
Webkit Safari, Chrome,
Trident Internet Explorer

Table 1: Summary of observed display-related vulnerabilities in candidate browsers and respective attacks possible
(A Xdepicts that attack is possible). 1) Equivalent vulnerabilities exist in mobile and tablet browsers with different
rendering engines. 2) Mobile, tablet and desktop browsers from the same vendor do not necessarily implement the
same code to handle display elements in different settings. 3) Desktop browsers are more compliant with security
policies for display.

counterparts, these applications can enable SSL/TLS to
provide strong security guarantees for communications
over the web. In spite of the availability of SSL/TLS,
mobile users are regularly becoming the target of mali-
cious behavior. A 2011 report indicates that mobile users
are three times more likely to access phishing websites
than desktop users [13]. Security indicators (i.e., certifi-
cate information, lock icons, cipher selection, etc.) in
web browsers offer one of the few defenses against such
attacks. A user can view different security indicators and
related certificate information presented by the browser
to offer signals or clues about the credibility of a web-
site. Although mobile and tablet browsers appear to sup-
port similar security indicators when compared to desk-
top browsers, the reasons behind the increasing number
of attacks on mobile browsers are not immediately clear.
We perform the first comprehensive empirical evalu-
ation of security indicators in mobile web browsers. The
goal of this work is not to determine if average users take
advantage of such cues, but instead to demonstrate that
such indicators are lacking and thus fail to provide suf-
ficient information for even experts. This distinction is
critical because it highlights areas where not even the
best trained users will be able to differentiate between
malicious and benign behavior. Rather than an ad hoc
analysis, we base our study on the recommendations set
forward by the W3C for user interface security [2] as
a proxy for best practices. In particular, we systemati-
cally measure which browsers strictly conform to the ab-
solute requirements and prohibitions of this document.
We perform our analysis across ten mobile and two tablet
browsers, representing greater than 90% of the mobile
market share [5], and then compare our results against
the five most popular desktop browsers.
We find that whereas desktop browsers largely con-
form to the W3C guidelines, mobile and tablet browsers
fail to do so in numerous instances. We believe that
this makes even expert users subject to attacks includ-
ing an undetectable man-in-the-middle. Our study also
observed tremendous inconsistency in the presentation
and availability of such indicators in mobile and tablet
browsers, in contrast to traditional desktop browsers.
Figure 1 shows the inconsistency in the indicators on the
address bars of the mobile and tablet browsers in our
experimental set. Accordingly, many of the clues ex-
perts instruct average users to look for can no longer re-
liably be found on these platforms. Finally, we find that
the Extended Validation (EV) SSL indicators and certifi-
cates [1, 20, 22] designed to improve assurance of the
identity of the certificate holder are virtually non-existent
in mobile browsers. While this mechanism is not a re-
quirement of the W3C recommendations, its use is perva-

3
 Android Mobile Blackberry Mango Blackberry Webkit

Chrome Beta Firefox Mobile Internet Explorer Mobile

Nokia Browser Opera Mini Opera Mobile

iPhone Safari Android Tablet Safari Tablet

Figure 1: Security indicators on the primary interface (address bar) of all the mobile and tablet browsers. Every
browser has three screenshots of the address bar: from top to bottom, the websites are Google over an http con-
nection, Gmail over a secure connection with an SSL certificate and Bank of America over a secure connection with
an EV-SSL certificate.

sive in desktop browsers. Mobile users are unable to de-
termine if certificates have undergone so-called extended
validation, and sites using these certificates may be un-
able to justify their significant monetary investment in
them.
Our measurements and observations from examining
the most widely used mobile browsers lead us to make a
number of assertions. (1) Browser designers have been
forced by the dramatic reduction in screen space to sac-
rifice a number of visual security features. The deter-
mination of which features are the most useful appears
to have been by independent processes, as reflected in
the different subsets of security indicators implemented
across the mobile platforms. (2) Previous studies have
overwhelmingly demonstrated that average users simply
do not understand security indicators even on desktop
browsers [18, 15, 25, 16, 17, 23]. Our measurements
demonstrate that the display of security indicators on mo-
bile platforms are considerably worse, to the extent that
we as experts cannot express confidence in having suf-
ficient information to take proper decisions making us
susceptible to varying phishing attacks as shown in Ta-
ble 2. Consequently, we assert that the role of security
indicators in mobile browsers offers little more than a
false sense of security. The security user interface must
therefore either be dramatically improved, to provide in-
dicators of demonstrable use, or should be considerably
simplified, to remove unusable, unreliable, or misleading
artifacts. (3) We argue that the current practice of repeat-
edly forcing a user-base that is largely security un-savvy
to make subtle security decisions is a losing game. Minor
tweaks to the wordings of certificate interface dialogues,
for example, may reach a slightly higher local maxima
in terms of security improvements, but are highly un-
likely to attain a more global maxima offering demon-
strably better security. Given the real estate constraints
of the increasingly dominant mobile platforms, our ev-
idence shows that this current practice has actually re-

4
 y
it
go

ax
k
an

eb

al
2
ile

ad
W
M

ile

G
ri
a

ob
et

fa

iP
i

ob

on
rry

rry

in
eB

le
Sa

n
M

i
id

id
be

be

io
ob
ox
m

ne
ro

ro
ia

ra

ra
k

r
M
ro

f
ac

ac

ho

fa
nd

ok

nd
pe

pe
re
Ch

Sa
Attacks

Bl

Bl

IE
Fi

iP
A

A
Phishing without SSL × · · · · · · · · · · ·
Phishing with SSL · × · · · × · × × × × ·
Phishing using a
compromised CA
· × · · · × · × × × × ·
Industrial espionage/ × × × × × × × × × × × ×
Eavesdropping

Table 2: Summary of potential attacks on candidate mobile browsers. A × implies that the attack is possible. A ·
implies that the corresponding attack is not possible on the browser.

sulted in a decrease in overall security signaling. Conse- 4 Impact

quently, we raise questions not only about the viability of
Extended Validation (EV) SSL certificates, but about the Constructive feedback and real world impact is crucial in
ongoing viability of SSL indicators themselves due to the research. The work in this thesis has been fortunate to
inability to convey accurate, reliable information to users receive attention from both academia and industry. The
as necessary for subtle security decisions. first piece of this thesis (Section 3.1) has been recognized
For these reasons, we believe that a measurement as one of the top 10 papers of 2012 at the national level
study as reported in our work is a requisite first step for ‘CSAW ATT Best Applied Security Paper Award’, won
our community to address these difficult issues and deal the institute-level ‘SAIC Best Student Paper Award’ at
with these problems head-on. Georgia Institute of Technology, and the ’Best Demo’
prize at the College of Computing research day at Geor-
gia Institute of Technology. More importantly, we have
communicated our results to various browser vendors
who have acknowledged the presence of these vulnera-
bilities and agreed to address the issues.
3.3 Identifying Malicious Mobile Webpages On
The second piece of this thesis (Section 3.2) was
the Fly
recognized as the ‘Best Student Paper’ at the Informa-
tion Security conference (ISC), 2012. Additionally, it
Webpages built for mobile platforms differ significantly was covered by several media outlets including NBC
from their desktop counterparts in content, layout and news [14], Network World [19], ACM TechNews [24]
functionality. Accordingly, existing techniques to de- and Prevention Magazine [8].
tect malicious websites are unlikely to work for mobile
specific webpages. In this work, we design and imple-
ment a fast and reliable mechanism that distinguishes
between malicious and benign mobile webpages. Our 5 Research Philosophy
technique makes this determination based on static fea-
tures of a webpage ranging from the number of iframes to The PhD program has been the most trying yet the most
the presence of known fraudulent phone numbers. First, rewarding experience of my life. Every step required in-
we experimentally demonstrate the need for mobile spe- tense deliberation and compromise. I defined and rede-
cific techniques and then identify a range of new content- fined my goals, balanced team members competing de-
based static features that highly correlate with mobile sires and values, and collided visions and prototypes until
malicious webpages. We then apply our technique to a cohesive output emerged in the form of a research paper
a large dataset of known benign and malicious mobile or software. Furthermore, the evaluation and feedback on
webpages and demonstrate 90% accuracy in classifica- my research taught me a lot about my own research and
tion. Moreover, we discover, characterize and report a abilities. This process has made me a better teacher, a
number of webpages missed by existing mechanisms, but better student, and a stronger person. The most profound
detected by our tool. Finally, we build a browser exten- lesson that I learned from my PhD and one I would share
sion to protect users from malicious mobile websites in with prospective researchers is that excellence does not
real-time. In so doing, we provide the first static analysis occur by accident. It is the result of meticulous work and
technique to detect malicious mobile webpages. dedication to its perfection. Be patient and never give up!

5
References
[1] Guidelines For The Issuance And Management Of Ex-
tended Validation Certificates, version 1.3. http:
//www.cabforum.org/Guidelines_v1_3.pdf,
November 20 2010.
[2] W3C: Web Security Context: User Interface Guidelines.
http://www.w3.org/TR/wsc-ui/, August 2010.
[3] Google Research Shows How People Use Smartphones to Help
Them Buy Stuff. http://www.readwriteweb.com/
biz/2011/04/how-people-use-smartphones-
to-purchase-products.php, April 2011.
[4] Mobile Analytics. http://webtrends.
com/shared/whitepaper/Whitepaper-
DevelopingAStrategyForMobileMaturity-
Webtrends.pdf, 2011.
[5] Mobile Browser Market Share. http://gs.
statcounter.com/#mobile_browser-ww-
monthly-201011-201111, November 2011.
[6] Opera Presto 2.1 - Web standards supported by Opera’s
core. http://dev.opera.com/articles/view/
presto-2-1-web-standards-supported -by/,
2011.
[7] The WebKit Open Source Project. http://webkit.org/,
2011.
[8] K. Aaron. The Smartphone Safety Tip You Need.
http://www.prevention.com/health/healthy-
living/smartphone-users-vulnerable-
security-threats, Dec 2012.
[9] C. Amrutkar, K. Singh, A. Verma, and P. Traynor. Vulnera-
bleMe: Measuring Systemic Weaknesses in Mobile Browser
Security. In Proceedings of the International Conference on
Information Systems Security (ICISS), 2012.
[10] C. Amrutkar and P. Traynor. Rethinking Permissions for Mo-
bile Web Apps: Barriers and the Road Ahead. In Proceedings
of the ACM CCS Workshop on Security and Privacy in Smart-
phones and Mobile Devices (CCS-SPSM), 2012.
[11] C. Amrutkar, P. Traynor, and P. C. van Oorschot. Measuring
SSL Indicators on Mobile Browsers: Extended Life, or End of
the Road? In Proceedings of the Information Security Confer-
ence (ISC), 2012.
[12] G. M. A. Blog. Smartphone user study shows mobile
movement under way. http://googlemobileads.
blogspot.com/2011/04/smartphone-user-
study-shows-mobile.html, 2011.
[13] M. Boodaei. Mobile users three times more vulnera-
ble to phishing attacks. http://www.trusteer.
com/blog/mobile-users-three-times-more-
vulnerable- phishing-attacks, 2011.
[14] S. Choney. Mobile browser woes can fool even experts: report.
http://www.nbcnews.com/technology/mobile-
browser-woes-can-fool-even-experts-
report-1C7451203, Dec 2012.
[15] R. Dhamija and J. Tygar. The battle against phishing: Dynamic
security skins. In Proceedings of the symposium on Usable pri-
vacy and security, 2005.
[16] R. Dhamija, J. D. Tygar, and M. Hearst. Why phishing works.
Proceedings of the SIGCHI conference on Human Factors in
computing systems, 2006.
[17] J. Downs, M. Holbrook, and L. Cranor. Decision strategies
and susceptibility to phishing. In Proceedings of the Second
Symposium on Usable Privacy and Security, 2006.
[18] B. Friedman, D. Hurley, D. Howe, E. Felten, and H. Nis-
senbaum. Users’ conceptions of web security: a comparative
study. In CHI extended abstracts on Human factors in com-
puting systems, 2002.
[19] J. Gold. Ga. Tech researchers: Mobile browsers need better
HTTPS indicators. http://www.networkworld.
com/news/2012/120512-mobile-browsers-
264846.html, Dec 2012.
[20] C. Jackson, D. Simon, and D. Tan. An evaluation of extended
validation and picture-in-picture phishing attacks. Financial
Cryptography and Data, 2007.
[21] M. Luttrell. Majority of users prefer mobile browser
over apps. http://www.tgdaily.com/mobility-
brief/55884-majority-of-users-prefer-
mobile-browser-over-apps, 2011.
[22] J. Sobey, R. Biddle, P. van Oorschot, and A. Patrick. Explor-
ing user reactions to new browser cues for extended validation
certificates. European Symposium on Research in Computer
Security (ESORICS), 2008.
[23] J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. F.
Cranor. 18th USENIX Security Symposium Crying Wolf: An
Empirical Study of SSL Warning Effectiveness. Work, 2009.
[24] M. Terrazas. Mobile Browsers Fail Georgia Tech Safety Test.
http://technews.acm.org/archives.cfm?fo=
2012-12-dec/dec-07-2012.html#622306, Dec
2012.
[25] T. Whalen and K. Inkpen. Gathering evidence: use of visual
security cues in web browsers. In Proceedings of Graphics
Interface, 2005.