Skip to main content
SpringerLink
Log in
Book cover

International Conference on Information Systems Security

ICISS 2012: Information Systems Security pp 16–34Cite as

VulnerableMe: Measuring Systemic Weaknesses in Mobile Browser Security

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7671))

Abstract

Porting browsers to mobile platforms may lead to new vulnerabilities whose solutions require careful balancing between usability and security and might not always be equivalent to those in desktop browsers. In this paper, we perform the first large-scale security comparison between mobile and desktop browsers. We focus our efforts on display security given the inherent screen limitations of mobile phones. We evaluate display elements in ten mobile, three tablet and five desktop browsers. We identify two new classes of vulnerabilities specific to mobile browsers and demonstrate their risk by launching real-world attacks including display ballooning, login CSRF and clickjacking. Additionally, we implement a new phishing attack that exploits a default policy in mobile browsers. These previously unknown vulnerabilities have been confirmed by browser vendors. Our observations, inputs from browser vendors and the pervasive nature of the discovered vulnerabilities illustrate that new implementation errors leading to serious attacks are introduced when browser software is ported from the desktop to mobile environment. We conclude that usability considerations are crucial while designing mobile solutions and display security in mobile browsers is not comparable to that in desktop browsers.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 150 Highest Paying Adsense Keywords Revealed!, http://earns-adsense.blogspot.com/2008/04/150-highest-paying-adsense-keywords.html

  2. Android Browser Exploit, http://threatpost.com/en_us/blogs/researcher-publishes-android-browser-exploit-110810

  3. Chrome, Firefox get clickjacked, http://www.zdnet.com.au/chrome-firefox-get-clickjacked-339294633.html/

  4. Facebook clickjacking, http://personalmoneystore.com/moneyblog/2010/08/18/facebook-clickjacking-social-network-scams/

  5. iPhone overflow clickjacking, http://ejohn.org/blog/clickjacking-iphone-attack/

  6. iPhone’s Safari - Vulnerable To DoS Attacks, http://www.iphonebuzz.com/iphone-safari-dos-bug-discovered-162212.php

  7. Mobile Browser Market Share, http://gs.statcounter.com/#mobile_browser-ww-daily-20120307-20120405

  8. Overflow clickjacking, http://research.zscaler.com/2008/11/clickjacking-iphone-style.html

  9. Paying by the Click, http://www.nytimes.com/2007/10/15/us/15bar.html?ref=us

  10. Same-origin policy, http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy

  11. Web-based Android attack, http://www.infoworld.com/d/security-central/security-researcher-releases-web-based-android-attack-317?source=rss_security_central/

  12. Opera Presto 2.1 - Web standards supported by Opera’s core (2011), http://dev.opera.com/articles/view/presto-2-1-web-standards-supported-by/

  13. The WebKit Open Source Project (2011), http://webkit.org/

  14. Adida, B.: Beamauth: two-factor web authentication with a bookmark. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (2007)

    Google Scholar 

  15. Aggarwal, G., Bursztein, E., Jackson, C., Boneh, D.: An Analysis of Private Browsing Modes in Modern Browsers. In: USENIX Security Symposium (2010)

    Google Scholar 

  16. Amrutkar, C., van Oorschot, P.C., Traynor, P.: An Empirical Evaluation of Security Indicators in Mobile Web Browsers. Georgia Tech Technical Report GT-CS-11-10 (2011)

    Google Scholar 

  17. Amrutkar, C., Traynor, P., van Oorschot, P.C.: Measuring SSL Indicators on Mobile Browsers: Extended Life, or End of the Road? In: Gollmann, D., Freiling, F.C. (eds.) ISC 2012. LNCS, vol. 7483, pp. 86–103. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  18. Bandhakavi, S., King, S.T., Madhusudan, P., Winslett, M.: VEX: Vetting Browser Extensions For Security Vulnerabilities. In: Proceedings of the USENIX Security Symposium, SECURITY (2010)

    Google Scholar 

  19. Barth, A., Caballero, J., Song, D.: Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland (2009)

    Google Scholar 

  20. Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting Browsers from Extension Vulnerabilities. In: Proceedings of the 17th Network and Distributed System Security Symposium, NDSS (2010)

    Google Scholar 

  21. Barth, A., Jackson, C.: Protecting Browsers from Frame Hijacking Attacks, http://seclab.stanford.edu/websec/frames/navigation/

  22. Barth, A., Jackson, C., Mitchell, J.C.: Robust Defenses for Cross-Site Request Forgery. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (2008)

    Google Scholar 

  23. Barth, A., Jackson, C., Mitchell, J.C.: Securing frame communication in browsers. In: Proceedings of the USENIX Security Symposium, SECURITY (2008)

    Google Scholar 

  24. Barth, A., Jackson, C., Reis, C.: The Google Chrome Team: The security architecture of the chromium browser, http://seclab.stanford.edu/websec/chromium/chromium-security-architecture.pdf

  25. Barth, A., Weinberger, J., Song, D.: Cross-origin javascript capability leaks: detection, exploitation, and defense. In: Proceedings of the USENIX Security Symposium, SECURITY (2009)

    Google Scholar 

  26. Google Mobile Ads Blog: Smartphone user study shows mobile movement under way (2011), http://googlemobileads.blogspot.com/2011/04/smartphone-user-study-shows-mobile.html

  27. Egele, M., Kruegel, C., Kirda, E., Vigna, G.: PiOS: Detecting Privacy Leaks in iOS Applications. In: Proceedings of the ISOC Networking & Distributed Systems Security (NDSS) Symposium (2011)

    Google Scholar 

  28. Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In: Proceedings of the USENIX Symposium on Operating Systems Design and Implementation, OSDI (2010)

    Google Scholar 

  29. Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A Study of Android Application Security. In: Proceedings of the USENIX Security Symposium (2011)

    Google Scholar 

  30. Felt, A.P., Wagner, D.: Phishing on Mobile Devices. In: Proceedings of the IEEE Web 2.0 Security and Privacy Workshop, W2SP (2011)

    Google Scholar 

  31. Grier, C., King, S.T., Wallach, D.S.: How I Learned to Stop Worrying and Love Plugins. In: Web 2.0 Security and Privacy (2009)

    Google Scholar 

  32. Grier, C., Tang, S., King, S.T.: Secure Web Browsing with the OP Web Browser. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland (2008)

    Google Scholar 

  33. Andrews, G.: Has the address bar had its day?, http://www.netmagazine.com/features/has-address-bar-had-its-day

  34. Huang, L.S., Weinberg, Z., Evans, C., Jackson, C.: Protecting browsers from cross-origin CSS attacks. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (2010)

    Google Scholar 

  35. Livshits, B., Molnar, D.: Empowering Browser Security for Mobile Devices Using Smart CDNs. In: Proceedings of the Workshop on Web 2.0 Security and Privacy, W2SP (2010)

    Google Scholar 

  36. Luttrell, M.: Majority of users prefer mobile browser over apps (2011), http://www.tgdaily.com/mobility-brief/55884-majority-of-users-prefer-mobile-browser-over-apps

  37. Niu, Y., Hsu, F., Chen, H.: iPhish: Phishing Vulnerabilities on Consumer Electronics. In: Usability, Psychology, and Security (2008)

    Google Scholar 

  38. Ruderman, J.: Same Origin Policy for JavaScript, http://www.mozilla.org/projects/security/components/same-origin.html

  39. Rydstedt, G., Bursztein, E., Boneh, D., Jackson, C.: Busting Frame Busting: A Study of Clickjacking Vulnerabilities at Popular Sites. In: Proceedings of the IEEE Web 2.0 Security and Privacy Workshop, W2SP (2010)

    Google Scholar 

  40. Rydstedt, G., Gourdin, B., Bursztein, E., Boneh, D.: Framing Attacks on Smart Phones and Dumb Routers: Tap-jacking and Geo-localization Attacks. In: Proceedings of the USENIX Workshop on Offensive Technology, WOOT (2010)

    Google Scholar 

  41. Singh, K., Moshchuk, A., Wang, H.J., Lee, W.: On the Incoherencies in Web Browser Access Control Policies. In: IEEE Symposium on Security and Privacy, Oakland (2010)

    Google Scholar 

  42. Tang, S., Grier, C., Aciicmez, O., King, S.T.: Alhambra: a system for creating, enforcing, and testing browser security policies. In: Proceedings of the International Conference on World Wide Web, WWW (2010)

    Google Scholar 

  43. Tang, S., Mai, H., King, S.T.: Trust and protection in the Illinois browser operating system. In: Proceedings of the USENIX Conference on Operating Systems Design and Implementation, OSDI (2010)

    Google Scholar 

  44. The Open Mobile Alliance: Wireless Application Protocol (WAP) 1.0 Specification Suite (1998), http://www.wapforum.org/what/technical_1_0.htm

  45. Traynor, P., Lin, M., Ongtang, M., Rao, V., Jaeger, T., La Porta, T., McDaniel, P.: On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (2009)

    Google Scholar 

  46. Wang, H.J., Fan, X., Howell, J., Jackson, C.: Protection and communication abstractions for web browsers in MashupOS. In: Proceedings of 21st ACM SIGOPS Symposium on Operating Systems Principles (2007)

    Google Scholar 

  47. Wang, H.J., Grier, C., Moshchuk, A., King, S.T., Choudary, P., Venter, H.: The Multi-Principal OS Construction of the Gazelle Web Browser. In: Proceedings of the USENIX Security Symposium, SECURITY (2009)

    Google Scholar 

  48. Zhou, Y., Evans, D.: Why Aren’t HTTP-only Cookies More Widely Deployed? In: Proceedings of the IEEE Web 2.0 Security and Privacy Workshop, W2SP (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Georgia Tech Information Security Center (GTISC), Georgia Institute of Technology, USA

    Chaitrali Amrutkar, Arunabh Verma & Patrick Traynor

  2. IBM Research, USA

    Kapil Singh

Authors
  1. Chaitrali Amrutkar
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kapil Singh
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Arunabh Verma
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Patrick Traynor
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of Illinois at Chicago, 60607-7053, Chicago, IL, USA

    Venkat Venkatakrishnan

  2. Department of Computer Science and Engineering, Indian Institute of Technology, 781039, Guwahati, Assam, India

    Diganta Goswami

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Amrutkar, C., Singh, K., Verma, A., Traynor, P. (2012). VulnerableMe: Measuring Systemic Weaknesses in Mobile Browser Security. In: Venkatakrishnan, V., Goswami, D. (eds) Information Systems Security. ICISS 2012. Lecture Notes in Computer Science, vol 7671. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35130-3_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-35130-3_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-35129-7

  • Online ISBN: 978-3-642-35130-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation