By: Michael Sutton

Mobile Bowser (In)security

Mobile

For the past couple of days, the Interwebs have been buzzing about pending new features in iPhone OS 3.0. One Item that barely received any mention whatsoever, but was pleasantly jaw-dropping for me, can be seen in the image below, in the lower right hand corner. It is the addition of anti-phishing capabilities for Mobile Safari.

Why should this be impressive? Firefox 2 and Internet Explorer 7 both added phishing filters back in 2006, with betas available as early as 2005. It's impressive because it's the first significant security feature of any kind in a mobile browser. Today, desktop browsers have a number of important security features, yet surprisingly, while mobile browsers have fancy features like touch screens and auto-zoom, security remains elusive. Let's compare the security features in major desktop/mobile web browsers:

Phishing

As mentioned, FireFox and Mozilla first added support for phishing blacklists over two years ago and since then it has become standard functionality in desktop web browsers. FireFox and Safari leverage the Google SafeBrowsing initiative, while Microsoft follows a proprietary path. Regardless, phishing protection, despite being standard issue on the desktop, is a no-go on mobile browsers...at least until iPhone OS3.0 is released this summer.

Malicious URLs

Like phishing, malicious URL protection takes advantage of blacklists to prevent users from visiting a site, which is known to host malicious content. Malicious URL protection was added after phishing but has now also become a standard feature. Once again, FireFox and Safari leverage the Google SafeBrowsing, while other vendors go it on their own, or through partnerships.

Extended Validation SSL Certificates

I question the true value of EV SSL Certificates and their adoption has been slow at best. Regardless, if they have any hope at better protecting end users, they must be supported by web browsers. It is therefore encouraging to see that they are supported by all major desktop browsers (but no mobile browsers).

Cross-Site Scripting (XSS)

With the release of IE 8, Microsoft will become the first major browser vendor to provide built-in support for XSS attacks. Early reviews of the XSS inspection engine included in IE 8 look promising. This, in my opinion is the single most important step in finally reducing the risk posed but what has long been the single most prevalent web application vulnerability.

Clickjacking

Microsoft went for the full sweep by also being the first vendor to introduce protections against clickjacking. However, their proposed protections also require special server side code. While they should be commended for their efforts, this is one control that is destined for failure.

Mobile Browsers

So why have have mobile browsers not yet included security features. Let's look at the possibilities.

1.) Mobile browsers do not have the storage capacity or processing power to accomodate security functionality.

Comment: My iPhone has 16GB of storage and better graphics than last-gen gaming consoles.

Verdict: Busted!

2.) Mobile browsers are not commonly subjected to attacks due to limited capabilities/use and security controls are not therefore necessary.

Comment: Mobile browsers have nearly equivalent functionality to thier desktop counterparts. They are fully capable of handling JavaScript, AJAX and if you're not an Apple fanboy...even Flash. Mobile browsers are also starting to constitute a meaningful percentage of overall web traffic. I personally actually prefer using my mobile browser for certain tasks, such as reviewing blog headlines, checking sports scores and scanning tweets. I prefer the simplicity of a mobile browser for simple tasks as it allows me to quickly review contents.

Verdict: Busted!

3.) We will never learn from our mistakes.

Comment: We have said for years (decades) that security must be baked in, as opposed to being brushed on. Yet, when it comes to quickly getting a product to market in order to win market share, security is consistently thrown out the window.

Verdict: Confirmed!

- michael

Learn more about Zscaler.