Georgia Tech Warns of Mobile Browser Vulnerabilities
Most mobile browsers fail to display SSL or TLS indicators.
"We found vulnerabilities in all 10 of the mobile browsers we tested, which together account for more than 90 percent of the mobile browsers in use today in the United States," Patrick Traynor, assistant professor in Georgia Tech’s School of Computer Science, said in a statement. "The basic question we asked was, 'Does this browser provide enough information for even an information-security expert to determine security standing?' With all 10 of the leading browsers on the market today, the answer was no."
"One of the principle vulnerabilities they identified was the failure of most mobile browsers to consistently display 'mobile security indicators,'" writes InformationWeek's Mathew J. Schwartz. "As a result, 'many of the clues experts instruct average users to look for can no longer be reliably found on these platforms,' said the study. Particularly lacking were any indications that a site was legitimate, or that SSL was being used to secure communications, which is typically indicated by the presence of a green padlock icon."
"A major part of the problem, of course, is that mobile browsers have serious limits on screen real estate compared to their desktop equivalents -- and the researchers stressed that the smartphone software generally had the same types of cryptographic and security capability found in traditional programs," writes Network World's Jon Gold. "However, the lack of an HTTPS indicator is still a problem, according to computer science Ph.D student Chaitrali Amrutkar, who authored the paper describing the study's results."
"Research has shown that mobile browser users are three times more likely to access phishing sites than users of desktop browsers," Amrutkar said. "Is that all due to the lack of these SSL indicators? Probably not, but giving these tools a consistent and complete presence in mobile browsers would definitely help."
"Mobile developers are constantly faced with the challenge of creating an enjoyable browsing experience on a display that's only a fraction of the size of a desktop," notes TechNewsDaily's Ben Weitzenkorn. "But a malware-ridden or hacked phone isn't enjoyable at all. Once developers figure out a smart and consistent way to implement SSL and TLS, Traynor said, everyone will be more secure and better served. 'With a little coordination, we can do a better job and make mobile browsing a safer experience for all users,' he said."