13

History seems to have come almost full circle where old issues are shown in new/emerging technologies.

Background

If you trust the operating system, Windows originally had the Control - Alt - Delete as a way to prevent TSR (Terminate and Stay Resident) programs from stealing passwords. It also invoked a GINA now the Windows Secure Subsystem (whatever it's called these days).

If you trust the browser, Web browsers proved security using SSL/TLS/HTTPS icons in the browser, and sometimes they colored the status bar green for sites that overpaid for their SSL certificate.

Problem

Now that mobile devices don't display a HTTPS status bar when navigating it's impossible to tell if you're on a legit site, or hacked via SSLStrip MITM or HTTPS. On top of that, there isn't a secure mode integrated into the OS itself, therefore it seems next to impossible to distinguish a legit authentication dialog from an imposter.

Can you tell the imposter from the legit dialog?

Windows Mobile, Android, iOS login screens to Azure AD

Although I demonstrate Azure Active Directory federation above, the same issue applies to consumer and corporate accounts that leverage other systems (OAuth, OpenID, Facebook, Ping Identity, ADFS)

This issue came to my mind as I downloaded an Android app that was clearly phishing for my credentials so it could post a favorable review of itself. ... a App Review Worm of sorts.

Question

  • How can a dumb end user protect themselves from such an attack, on a mobile device?

  • Are physical certificates the only option to prevent phishing? (TLS Mutual Auth)

  • Does FIDO play a role in securing the mobile space?

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • 4
    "sometimes they colored the status bar green for sites that overpaid for their SSL certificate." Best description of [EV Certificates](https://en.wikipedia.org/wiki/Extended_Validation_Certificate) I've ever heard. – Nic Barker Sep 01 '15 at 02:40
  • Don't install random apps? – Neil McGuigan Sep 01 '15 at 04:27
  • 2
    @NicBarker this is for a mobile *app*, not a browser app, so there's no trusted SSL indicator as it's not in a browser. – Neil Smithline Sep 01 '15 at 05:03
  • @NicBarker where is that quote from? I can't find it. – Neil Smithline Sep 01 '15 at 05:05
  • @NeilSmithline Apologies for the confusion Neil, it's actually in the question (paragraph 2 of background) – Nic Barker Sep 01 '15 at 05:22
  • 1
    Only thing i know of : User education including turning on/off certain browser features at-least in Safari(Apple products). https://support.apple.com/en-us/HT201265. The emphasis on real state(space) has overshadowed many things in the mobile world. – salah-1 Sep 01 '15 at 05:45
  • 1
    Look into Qubes OS. Trusted GUIs are a whole research field – Natanael Sep 02 '15 at 21:06

1 Answers1

3

The only way you can ensure you are secure is if you use a trusted mobile application, such as Chrome, and you see the padlock and HTTPS at the start of the address bar.

Note that here you are trusting both Chrome and the domain of the website that is HTTPS.

If you're using a third party application that integrates a browser, you are trusting that application. If you don't trust that application, you cannot trust anything displayed to you within that application. Therefore, you should only enter credentials through applications that you trust, in this case Chrome. Note that full screen pages now require permission to display full screen in Chrome, so a page drawing the address bar in is no longer possible without Chrome alerting the user.

Note that even if you trust an app, you need to beware that the app loaded could be subject to scheme hijacking and it might not be in fact the app you expected to load. Always load up the application manually before entering any credentials.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178