A Trusted UI for the Mobile Web

  • Bastian Braun
  • Johannes Koestler
  • Joachim Posegga
  • Martin Johns
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 428)


Modern mobile devices come with first class web browsers that rival their desktop counterparts in power and popularity. However, recent publications point out that mobile browsers are particularly susceptible to attacks on web authentication, such as phishing or clickjacking. We analyze those attacks and find that existing countermeasures from desktop computers can not be easily transfered to the mobile world. The attacks’ root cause is a missing trusted UI for security critical requests. Based on this result, we provide our approach, the MobileAuthenticator, that establishes a trusted path to the web application and reliably prohibits the described attacks. With this approach, the user only needs one tool to protect any number of mobile web application accounts. Based on the implementation as an app for iOS and Android respectively, we evaluate the approach and show that the underlying interaction scheme easily integrates into legacy web applications.


Mobile Device Shared Secret Authorized Action Login Request Mobile Operating System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Amrutkar, C., Traynor, P., van Oorschot, P.C.: Measuring SSL Indicators on Mobile Browsers: Extended Life, or End of the Road? In: Gollmann, D., Freiling, F.C. (eds.) ISC 2012. LNCS, vol. 7483, pp. 86–103. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  2. 2.
    Felt, A., Wagner, D.: Phishing on Mobile Devices. In: W2SP (2011)Google Scholar
  3. 3.
    Luo, T., Jin, X., Ananthanarayanan, A., Du, W.: Touchjacking attacks on web in android, iOS, and windows phone. In: Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Miri, A., Tawbi, N. (eds.) FPS 2012. LNCS, vol. 7743, pp. 227–243. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  4. 4.
    Rydstedt, G., Gourdin, B., Bursztein, E., Boneh, D.: Framing Attacks on Smart Phones and Dumb Routers: Tap-jacking and Geo-localization Attacks. In: wOOt (2010)Google Scholar
  5. 5.
    Niu, Y., Hsu, F., Chen, H.: iPhish: Phishing Vulnerabilities on Consumer Electronics. In: UPSEC (2008)Google Scholar
  6. 6.
    De Ryck, P., Desmet, L., Heyman, T., Piessens, F., Joosen, W.: CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 18–34. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  7. 7.
    Bursztein, E., Soman, C., Boneh, D., Mitchell, J.C.: SessionJuggler: Secure Web Login from an Untrusted Terminal Using Session Hijacking. In: WWW (2012)Google Scholar
  8. 8.
    Felt, A., Egelman, S., Finifter, M., Akhawe, D., Wagner, D.: How to Ask for Permission. In: HotSec (2012)Google Scholar
  9. 9.
    Chou, N., Ledesma, R., Teraguchi, Y., Boneh, D., Mitchell, J.C.: Client-side Defense against Web-Based Identity Theft. In: NDSS 2004 (2004)Google Scholar
  10. 10.
    Dhamija, R., Tygar, J.: The Battle Against Phishing: Dynamic Security Skins. In: SOUPS (2005)Google Scholar
  11. 11.
    Balfanz, D., Smetters, D., Upadhyay, M., Barth, A.: TLS Origin-Bound Certificates. IETF Draft,
  12. 12.
    Huang, L.S., Moshchuk, A., Wang, H.J., Schechter, S., Jackson, C.: Clickjacking: Attacks and Defenses. In: 21st USENIX Security Symposium (2012)Google Scholar
  13. 13.
    Jovanovic, N., Kruegel, C., Kirda, E.: Preventing cross site request forgery attacks. In: Securecomm (2006)Google Scholar
  14. 14.
    Sterne, B., Barth, A.: Content Security Policy. W3C Working Draft (2012), (November 2012)
  15. 15.
    Johns, M., Braun, B., Schrank, M., Posegga, J.: Reliable Protection Against Session Fixation Attacks. In: ACM SAC (2011)Google Scholar
  16. 16.
    Mozilla: Persona, (November 19, 2013)
  17. 17.
  18. 18.
    Internet2: Shibboleth,
  19. 19.
    Tong, T., Evans, D.: GuarDroid: A Trusted Path for Password Entry. In: Mobile Security Technologies, MoST 2013 (2013)Google Scholar
  20. 20.
    Braun, B., Kucher, S., Johns, M., Posegga, J.: A User-Level Authentication Scheme to Mitigate Web Session-Based Vulnerabilities. In: Fischer-Hübner, S., Katsikas, S., Quirchmayr, G. (eds.) TrustBus 2012. LNCS, vol. 7449, pp. 17–29. Springer, Heidelberg (2012)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2014

Authors and Affiliations

  • Bastian Braun
    • 1
  • Johannes Koestler
    • 1
  • Joachim Posegga
    • 1
  • Martin Johns
    • 2
  1. 1.Institute of IT Security and Security Law (ISL)University of PassauGermany
  2. 2.SAP ResearchKarlsruheGermany

Personalised recommendations