I was wondering if there are any threats for web-applications used on mobile phones that haven't been known in the "full size" browsers earlier.
I haven't heard of any serious or common problems that concern only mobile browsers.
Please answer if you know one.
Yes. Mobile browsers are generally at greater security risk than full-sized desktop browsers, for a number of reasons. Here are some examples:
Tap-jacking. Tap-jacking is more powerful on modern phone browsers (compared to full-size desktop browsers): see this paper.
Phishing and UI spoofing. Mobile phone browsers don't reserve screen real estate for the "browser chrome" and its corresponding security indicators: e.g., the address bar, padlock icons or signs of HTTP/HTTPS/EV-HTTPS, etc. In particular, web pages can go fullscreen and scroll away the browser chrome, leaving no browser chrome. Once the web page has done so, a malicious web page could draw a spoofed address bar. In one user study, almost every single user was fooled by a phishing attack of this sort. This may pose increased risk: e.g., to phishing, clickjacking, and other social-engineering or human-factors related attacks on the user.
Vulnerable mobile web sites. Many websites offer separate sites specifically for mobile clients. Those mobile-optimized versions of the site often have vulnerabilities not present in the normal site; see, e.g., this paper for some examples of this (relating to clickjacking).
Webview-related vulnerabilities. Many mobile applications use webviews, to seamlessly embed a web page into the application. However, at least on Android, if webviews are not used carefully, they can introduce vulnerabilities that allow a malicious website to misuse the application's access to the user's phone and information. This risk is specific to mobile systems.
Those vulnerabilities should be targeting the navigation system of the mobile devices.
Unfortunately I don't have an example on that but this example seems as if even the iPhone has a XSRF-like issue. Web pages can start apps and trigger actions in the apps: http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html
Here is an example from: http://threatpost.com/en_us/blogs/researcher-publishes-android-browser-exploit-110810
"Researcher MJ Keith published a Reverse Shell Exploit that affects mobile devices running Android's 2.0 and 2.1 operating system on November 5. The shell code takes advantage of a known vulnerability affecting WebKit, a common component of Web browsers, including the one bundled with Android, that is used to render Web page content and manage Web browsing sessions. The hole could be triggered by visiting a malicious Web site, according to a description of the hole published by Mitre."
Update 01/26/11:
This was posted on the Dailydave's newsgroup on 01/26/11:
You've probably already figured out that this bug is in Webkit. Our research team is currently checking out what is and is not vulnerable. The initial results are this: we've got an exploit in development for Android. The iPhone should be vulnerable, we're still researching that. Chrome is a bit early to call, we're still testing there. The sound bite here is this: anything that depends on Webkit should be checked out.
Re-cap: Yes there are vulnerabilities that can affect only mobile solutions.
Do mobile browsers have any special file/protocol handlers such as dialer or SMS?
