Mobile browsers fail researchers' safety test

Dec 05, 2012
Patrick Traynor, assistant professor in the School of Computer Science, and Ph.D. student Chaitrali Amrutkar discovered that mobile browsers are inconsistent in implementing the standards for security indicators recommended by the World Wide Web Consortium.

(Phys.org)—How unsafe are mobile browsers? Unsafe enough that even cyber-security experts are unable to detect when their smartphone browsers have landed on potentially dangerous websites, according to a recent Georgia Tech study.

Like their counterparts for desktop platforms, mobile browsers incorporate a range of security and cryptographic tools to provide a secure Web-browsing experience. However in one critical area that informs user decisions—the incorporation of tiny graphical indicators in a browser's URL field—all of the leading mobile browsers fail to meet recommended by the (W3C) for browser safety, leaving even expert users with no way to determine if the websites they visit are real or imposter sites phishing for personal data.

"We found vulnerabilities in all 10 of the mobile browsers we tested, which together account for more than 90 percent of the mobile browsers in use today in the United States," said Patrick Traynor, assistant professor in Georgia Tech's School of Computer Science. "The basic question we asked was, 'Does this browser provide enough information for even an information-security expert to determine security standing?' With all 10 of the leading browsers on the market today, the answer was no."

The graphic icons at issue are called either SSL ("") or TLS ("transport layer security") indicators, and they serve to alert users (a) when their connection to the destination website is secure and (b) that the website they see is actually the site they intended to visit. The tiny "lock" icon that typically appears in a desktop browser window when users are providing payment information in an online transaction is one example of an SSL indicator. Another is the "https" keyword that appears in the beginning of a desktop browser's URL field.

The W3C has issued specific recommendations for how SSL indicators should be built into a browser's , and for the most part, Traynor said, desktop browsers do a good job of following those recommendations. In mobile browsers, however, the guidelines are followed inconsistently at best and often not at all.

The principal reason for this, Traynor admits, is the much smaller screen size with which designers of mobile browsers have to work. Often there simply isn't room to incorporate SSL indicators in same way as with desktop browsers. However, given that mobile devices are widely predicted to face more frequent attacks from cyber-criminals, the vulnerability is almost sure to lead to increased cyber-crime unless it is addressed.

"Research has shown that mobile browser users are three times more likely to access phishing sites than users of desktop browsers," said Chaitrali Amrutkar, a Ph.D. student in the School of Computer Science and principal author of the paper that described the SSL research. "Is that all due to the lack of these SSL indicators? Probably not, but giving these tools a consistent and complete presence in mobile browsers would definitely help."

The paper, "Measuring SSL Indicators on Mobile Browsers: Extended Life, or End of the Road," earned Amrutkar a Best Student Paper award at this year's Information Security Conference, held Sept. 19-21 in Passau, Germany. Traynor and Amrutkar said the study, essentially a measurement analysis of the current state of visual security indicators in mobile browsers, is a necessary first step in developing a uniform set of security recommendations that can apply to mobile browsers.

"We understand the dilemma facing designers of mobile browsers, and it looks like all of them tried to do the best they could in balancing everything that has to fit within those small screens," Traynor said. "But the fact is that all of them ended up doing something just a little different—and all inferior to desktop browsers. With a little coordination, we can do a better job and make mobile browsing a safer experience for all users."

Explore further: 'Off-the-shelf' equipment used to digitize insects in 3-D

Related Stories

Bringing Chrome to Android more than wishful thinking

Oct 05, 2011

(PhysOrg.com) -- The first version of Chrome for Android should be just around the corner, according to ConceivablyTech. “Google is heading toward the finish line for the first release of Chrome for Android,” ...

Recommended for you

Computer-assisted accelerator design

Apr 22, 2014

Stephen Brooks uses his own custom software tool to fire electron beams into a virtual model of proposed accelerator designs for eRHIC. The goal: Keep the cost down and be sure the beams will circulate in ...

First steps towards "Experimental Literature 2.0"

Apr 21, 2014

As part of a student's thesis, the Laboratory of Digital Humanities at EPFL has developed an application that aims at rearranging literary works by changing their chapter order. "The human simulation" a saga ...

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

jonnyboy
1 / 5 (2) Dec 05, 2012
idiots

More news stories

SK Hynix posts Q1 surge in net profit

South Korea's SK Hynix Inc said Thursday its first-quarter net profit surged nearly 350 percent from the previous year on a spike in sales of PC memory chips.

FCC to propose pay-for-priority Internet standards

The Federal Communications Commission is set to propose new open Internet rules that would allow content companies to pay for faster delivery over the so-called "last mile" connection to people's homes.

Brazil enacts Internet 'Bill of Rights'

Brazil's president signed into law on Wednesday a "Bill of Rights" for the digital age that aims to protect online privacy and promote the Internet as a public utility by barring telecommunications companies ...

Is nuclear power the only way to avoid geoengineering?

"I think one can argue that if we were to follow a strong nuclear energy pathway—as well as doing everything else that we can—then we can solve the climate problem without doing geoengineering." So says Tom Wigley, one ...

When things get glassy, molecules go fractal

Colorful church windows, beads on a necklace and many of our favorite plastics share something in common—they all belong to a state of matter known as glasses. School children learn the difference between ...

FDA proposes first regulations for e-cigarettes

The federal government wants to prohibit sales of electronic cigarettes to minors and require approval for new products and health warning labels under regulations being proposed by the Food and Drug Administration.