12

I was wondering if there are any threats for web-applications used on mobile phones that haven't been known in the "full size" browsers earlier.

I haven't heard of any serious or common problems that concern only mobile browsers.

Please answer if you know one.

naugtur
  • 1,095
  • 2
  • 12
  • 15
  • Actually, your question is confusing. Could you please clarify what are "web-application used on mobile phones"? Otherwise this question has no sense. –  Nov 14 '10 at 01:07
  • @Ams, @naugtur means Are there any attacks/etc via webapps that attack specifically browser clients on mobile phones, and not full desktop versions of browsers. – AviD Nov 14 '10 at 02:02
  • I seem to remember talk about a bluetooth-targeting attack a year or three ago, but since I don't remember any details I'm not putting this as an answer. – AviD Nov 14 '10 at 02:03
  • @AviD Thanks! That's a great clarification there ;) – naugtur Nov 15 '10 at 09:56

4 Answers4

8

Yes. Mobile browsers are generally at greater security risk than full-sized desktop browsers, for a number of reasons. Here are some examples:

  • Tap-jacking. Tap-jacking is more powerful on modern phone browsers (compared to full-size desktop browsers): see this paper.

  • Phishing and UI spoofing. Mobile phone browsers don't reserve screen real estate for the "browser chrome" and its corresponding security indicators: e.g., the address bar, padlock icons or signs of HTTP/HTTPS/EV-HTTPS, etc. In particular, web pages can go fullscreen and scroll away the browser chrome, leaving no browser chrome. Once the web page has done so, a malicious web page could draw a spoofed address bar. In one user study, almost every single user was fooled by a phishing attack of this sort. This may pose increased risk: e.g., to phishing, clickjacking, and other social-engineering or human-factors related attacks on the user.

  • Vulnerable mobile web sites. Many websites offer separate sites specifically for mobile clients. Those mobile-optimized versions of the site often have vulnerabilities not present in the normal site; see, e.g., this paper for some examples of this (relating to clickjacking).

  • Webview-related vulnerabilities. Many mobile applications use webviews, to seamlessly embed a web page into the application. However, at least on Android, if webviews are not used carefully, they can introduce vulnerabilities that allow a malicious website to misuse the application's access to the user's phone and information. This risk is specific to mobile systems.

D.W.
  • 98,420
  • 30
  • 267
  • 572
2

Those vulnerabilities should be targeting the navigation system of the mobile devices.

Unfortunately I don't have an example on that but this example seems as if even the iPhone has a XSRF-like issue. Web pages can start apps and trigger actions in the apps: http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html

Phoenician-Eagle
  • 2,167
  • 16
  • 21
2

Here is an example from: http://threatpost.com/en_us/blogs/researcher-publishes-android-browser-exploit-110810

"Researcher MJ Keith published a Reverse Shell Exploit that affects mobile devices running Android's 2.0 and 2.1 operating system on November 5. The shell code takes advantage of a known vulnerability affecting WebKit, a common component of Web browsers, including the one bundled with Android, that is used to render Web page content and manage Web browsing sessions. The hole could be triggered by visiting a malicious Web site, according to a description of the hole published by Mitre."

Update 01/26/11:

This was posted on the Dailydave's newsgroup on 01/26/11:

You've probably already figured out that this bug is in Webkit. Our research team is currently checking out what is and is not vulnerable. The initial results are this: we've got an exploit in development for Android. The iPhone should be vulnerable, we're still researching that. Chrome is a bit early to call, we're still testing there. The sound bite here is this: anything that depends on Webkit should be checked out.

Re-cap: Yes there are vulnerabilities that can affect only mobile solutions.

Tate Hansen
  • 13,714
  • 3
  • 40
  • 83
  • 2
    Nice, but that sounds as if it would apply to non-mobile webbrowsers too, as long as they use webkit. The OP was looking for attacks that apply *only* to mobile. – AviD Nov 14 '10 at 12:33
  • It may, but there are 20+ different webkits and apparently each phone vendor has their own webkit fork, so it is reasonable to suggest vulnerabilities may exist only for a particular version. – Tate Hansen Nov 14 '10 at 18:00
1

Do mobile browsers have any special file/protocol handlers such as dialer or SMS?

atdre
  • 18,885
  • 6
  • 58
  • 107
  • @atdre, unless its an actual answer, this should be a comment, perhaps under the OP. Or, was this a cynical way of saying "Does a bear p**p in the woods?" – AviD Nov 14 '10 at 23:44
  • 1
    @Avid: Both of your conclusions are correct – atdre Nov 15 '10 at 01:41
  • 1
    Heh, @atdre take into account that many users here will not pick up on your humour. I am starting to catch it often though.... :D – AviD Nov 15 '10 at 07:14
  • 1
    Also, do you have exmples / know of specific attack vectors to exploit these handlers? I would think they are (should be) insulated from the browser.... – AviD Nov 15 '10 at 07:15
  • I don't have any examples, but it is the first thing that came to mind. When you threat-model any client app for any platform, it's nice to know what file and protocol handlers are present – atdre Nov 15 '10 at 10:05
  • 1
    Witty, but lacking content ;) It sure is subjective, but I prefer answers like "Oh, look! I spotted one there yesterday". Anyway - I get the point. – naugtur Nov 15 '10 at 10:06