Abstract
Porting browsers to mobile platforms may lead to new vulnerabilities whose solutions require careful balancing between usability and security and might not always be equivalent to those in desktop browsers. In this paper, we perform the first large-scale security comparison between mobile and desktop browsers. We focus our efforts on display security given the inherent screen limitations of mobile phones. We evaluate display elements in ten mobile, three tablet and five desktop browsers. We identify two new classes of vulnerabilities specific to mobile browsers and demonstrate their risk by launching real-world attacks including display ballooning, login CSRF and clickjacking. Additionally, we implement a new phishing attack that exploits a default policy in mobile browsers. These previously unknown vulnerabilities have been confirmed by browser vendors. Our observations, inputs from browser vendors and the pervasive nature of the discovered vulnerabilities illustrate that new implementation errors leading to serious attacks are introduced when browser software is ported from the desktop to mobile environment. We conclude that usability considerations are crucial while designing mobile solutions and display security in mobile browsers is not comparable to that in desktop browsers.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
150 Highest Paying Adsense Keywords Revealed!, http://earns-adsense.blogspot.com/2008/04/150-highest-paying-adsense-keywords.html
Android Browser Exploit, http://threatpost.com/en_us/blogs/researcher-publishes-android-browser-exploit-110810
Chrome, Firefox get clickjacked, http://www.zdnet.com.au/chrome-firefox-get-clickjacked-339294633.html/
Facebook clickjacking, http://personalmoneystore.com/moneyblog/2010/08/18/facebook-clickjacking-social-network-scams/
iPhone overflow clickjacking, http://ejohn.org/blog/clickjacking-iphone-attack/
iPhone’s Safari - Vulnerable To DoS Attacks, http://www.iphonebuzz.com/iphone-safari-dos-bug-discovered-162212.php
Mobile Browser Market Share, http://gs.statcounter.com/#mobile_browser-ww-daily-20120307-20120405
Overflow clickjacking, http://research.zscaler.com/2008/11/clickjacking-iphone-style.html
Paying by the Click, http://www.nytimes.com/2007/10/15/us/15bar.html?ref=us
Same-origin policy, http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy
Web-based Android attack, http://www.infoworld.com/d/security-central/security-researcher-releases-web-based-android-attack-317?source=rss_security_central/
Opera Presto 2.1 - Web standards supported by Opera’s core (2011), http://dev.opera.com/articles/view/presto-2-1-web-standards-supported-by/
The WebKit Open Source Project (2011), http://webkit.org/
Adida, B.: Beamauth: two-factor web authentication with a bookmark. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (2007)
Aggarwal, G., Bursztein, E., Jackson, C., Boneh, D.: An Analysis of Private Browsing Modes in Modern Browsers. In: USENIX Security Symposium (2010)
Amrutkar, C., van Oorschot, P.C., Traynor, P.: An Empirical Evaluation of Security Indicators in Mobile Web Browsers. Georgia Tech Technical Report GT-CS-11-10 (2011)
Amrutkar, C., Traynor, P., van Oorschot, P.C.: Measuring SSL Indicators on Mobile Browsers: Extended Life, or End of the Road? In: Gollmann, D., Freiling, F.C. (eds.) ISC 2012. LNCS, vol. 7483, pp. 86–103. Springer, Heidelberg (2012)
Bandhakavi, S., King, S.T., Madhusudan, P., Winslett, M.: VEX: Vetting Browser Extensions For Security Vulnerabilities. In: Proceedings of the USENIX Security Symposium, SECURITY (2010)
Barth, A., Caballero, J., Song, D.: Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland (2009)
Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting Browsers from Extension Vulnerabilities. In: Proceedings of the 17th Network and Distributed System Security Symposium, NDSS (2010)
Barth, A., Jackson, C.: Protecting Browsers from Frame Hijacking Attacks, http://seclab.stanford.edu/websec/frames/navigation/
Barth, A., Jackson, C., Mitchell, J.C.: Robust Defenses for Cross-Site Request Forgery. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (2008)
Barth, A., Jackson, C., Mitchell, J.C.: Securing frame communication in browsers. In: Proceedings of the USENIX Security Symposium, SECURITY (2008)
Barth, A., Jackson, C., Reis, C.: The Google Chrome Team: The security architecture of the chromium browser, http://seclab.stanford.edu/websec/chromium/chromium-security-architecture.pdf
Barth, A., Weinberger, J., Song, D.: Cross-origin javascript capability leaks: detection, exploitation, and defense. In: Proceedings of the USENIX Security Symposium, SECURITY (2009)
Google Mobile Ads Blog: Smartphone user study shows mobile movement under way (2011), http://googlemobileads.blogspot.com/2011/04/smartphone-user-study-shows-mobile.html
Egele, M., Kruegel, C., Kirda, E., Vigna, G.: PiOS: Detecting Privacy Leaks in iOS Applications. In: Proceedings of the ISOC Networking & Distributed Systems Security (NDSS) Symposium (2011)
Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In: Proceedings of the USENIX Symposium on Operating Systems Design and Implementation, OSDI (2010)
Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A Study of Android Application Security. In: Proceedings of the USENIX Security Symposium (2011)
Felt, A.P., Wagner, D.: Phishing on Mobile Devices. In: Proceedings of the IEEE Web 2.0 Security and Privacy Workshop, W2SP (2011)
Grier, C., King, S.T., Wallach, D.S.: How I Learned to Stop Worrying and Love Plugins. In: Web 2.0 Security and Privacy (2009)
Grier, C., Tang, S., King, S.T.: Secure Web Browsing with the OP Web Browser. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland (2008)
Andrews, G.: Has the address bar had its day?, http://www.netmagazine.com/features/has-address-bar-had-its-day
Huang, L.S., Weinberg, Z., Evans, C., Jackson, C.: Protecting browsers from cross-origin CSS attacks. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (2010)
Livshits, B., Molnar, D.: Empowering Browser Security for Mobile Devices Using Smart CDNs. In: Proceedings of the Workshop on Web 2.0 Security and Privacy, W2SP (2010)
Luttrell, M.: Majority of users prefer mobile browser over apps (2011), http://www.tgdaily.com/mobility-brief/55884-majority-of-users-prefer-mobile-browser-over-apps
Niu, Y., Hsu, F., Chen, H.: iPhish: Phishing Vulnerabilities on Consumer Electronics. In: Usability, Psychology, and Security (2008)
Ruderman, J.: Same Origin Policy for JavaScript, http://www.mozilla.org/projects/security/components/same-origin.html
Rydstedt, G., Bursztein, E., Boneh, D., Jackson, C.: Busting Frame Busting: A Study of Clickjacking Vulnerabilities at Popular Sites. In: Proceedings of the IEEE Web 2.0 Security and Privacy Workshop, W2SP (2010)
Rydstedt, G., Gourdin, B., Bursztein, E., Boneh, D.: Framing Attacks on Smart Phones and Dumb Routers: Tap-jacking and Geo-localization Attacks. In: Proceedings of the USENIX Workshop on Offensive Technology, WOOT (2010)
Singh, K., Moshchuk, A., Wang, H.J., Lee, W.: On the Incoherencies in Web Browser Access Control Policies. In: IEEE Symposium on Security and Privacy, Oakland (2010)
Tang, S., Grier, C., Aciicmez, O., King, S.T.: Alhambra: a system for creating, enforcing, and testing browser security policies. In: Proceedings of the International Conference on World Wide Web, WWW (2010)
Tang, S., Mai, H., King, S.T.: Trust and protection in the Illinois browser operating system. In: Proceedings of the USENIX Conference on Operating Systems Design and Implementation, OSDI (2010)
The Open Mobile Alliance: Wireless Application Protocol (WAP) 1.0 Specification Suite (1998), http://www.wapforum.org/what/technical_1_0.htm
Traynor, P., Lin, M., Ongtang, M., Rao, V., Jaeger, T., La Porta, T., McDaniel, P.: On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (2009)
Wang, H.J., Fan, X., Howell, J., Jackson, C.: Protection and communication abstractions for web browsers in MashupOS. In: Proceedings of 21st ACM SIGOPS Symposium on Operating Systems Principles (2007)
Wang, H.J., Grier, C., Moshchuk, A., King, S.T., Choudary, P., Venter, H.: The Multi-Principal OS Construction of the Gazelle Web Browser. In: Proceedings of the USENIX Security Symposium, SECURITY (2009)
Zhou, Y., Evans, D.: Why Aren’t HTTP-only Cookies More Widely Deployed? In: Proceedings of the IEEE Web 2.0 Security and Privacy Workshop, W2SP (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Amrutkar, C., Singh, K., Verma, A., Traynor, P. (2012). VulnerableMe: Measuring Systemic Weaknesses in Mobile Browser Security. In: Venkatakrishnan, V., Goswami, D. (eds) Information Systems Security. ICISS 2012. Lecture Notes in Computer Science, vol 7671. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35130-3_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-35130-3_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35129-7
Online ISBN: 978-3-642-35130-3
eBook Packages: Computer ScienceComputer Science (R0)