Smartphone Phishing Protection Needs Improvement

Recent versions of desktop Web browsers and email clients feature phishing and malware protection in addition to improved security notifications and indicators. Unfortunately, many of these improvements have not reached their mobile device counterparts. While the patterns of use and the threat model for Web browsing and email on mobile devices differ from desktop applications, as smartphones become more capable they present an increasingly attractive target. Institutions and services that wish to protect their mobile user base should seriously consider server-based filtering for both email and Web content on mobile devices. Currently, it is difficult–to nearly impossible–to verify the authenticity of email messages and the destination of hyperlinks on many common smartphones.

Many organizations employ network filtering and threat detection. Modern desktop browsers offer additional protection by displaying warnings for potential phishing sites, sites known to contain malware, and for invalid or expired SSL certificates. It is a rare organization or email provider that does not filtering their email for spam and viruses. Most modern Web browsers and desktop email clients can utilize third-party software and blacklists to display warnings for potential phishing attacks, viruses, and other types of malware. Blacklist-based security notifications have begun to appear in smartphone Web browsers, although they have been slow to arrive for mobile email clients.

In my column You Can Fool Some of the People All of the Time: Research on Usability, Security and Phishing, I summarized research papers on phishing vulnerabilities from both academia and industry. In closing the column, I discussed potential areas of weakness in mobile and embedded browsers found by researchers. One year later, these platforms face increased attacks. According to a 2009 study by Pew Internet and American Life, 55 percent of U.S. adults connect to the Internet via a WiFi enabled laptop, smartphone, or consumer device. Of U.S. adults, 39 percent connect wirelessly via a laptop, 32 percent with a mobile phone (19 percent on a typical day), 12 percent with a desktop computer, 9 percent with a game console, 7 percent with a PDA type device, 5 percent with an MP3 player, and 1 percent with an ebook reader. This means that a significant portion of any user base is likely to spend at least some time connected via insecure and unfiltered networks. Users with mobile devices are far more likely to connect via an unsecured WiFi network when they are outside of a standard enterprise network. VPN and enterprise WiFi security on mobile devices require complicated configuration and are typically only used when configured or provisioned by IT staff.

Although consumers increasingly use mobile devices for high value interactions such as online banking and making significant purchases, there has been little published research investigating authentication and authorization from these devices. Many mobile devices have reduced keyboards, which make long complicated passwords cumbersome and error prone. The small size of mobile screens may limit the ability to view credentials while typing, which creates further difficulties when logging in and provides fewer options to display security indicators. Advance Web browsers available on the iPhone, Android-based devices, and those using the Opera mobile browser are capable of rendering most modern Web pages. These browsers still involve tradeoffs; often requiring the user to pan and zoom or the browser to reformat the page due to limited screen size.

Given the constraints imposed by mobile devices, security indicators and warnings need more effective designs for a wide deployment. I attempt to provide a picture of the variation in current security indicators and warnings as and show the difficulty of verifying the authenticity of content. My test equipment included an iPhone 3GS running iPhone OS 3.1.3, an HTC Magic running Android 1.5, a Motorola Droid running Android 2.0, and a BlackBerry Bold 9000 running BlackBerry OS 4.6.304. All four devices left significant room for improvement. Security researcher Aviv Raff discovered many of the issues described here in 2008. Joshua Perrymon at PacketFocus provided more detail in his PhishCamp project in 2009.

Security indicators and additional warnings presented by desktop browsers, email clients, and most Web mail clients provide some additional protection to users, although usability research shows that few users notice security indicators without training and quickly cease to pay attention to frequent warnings. On desktop browsers, users can view the URL of a hyperlink by placing the mouse over the link and viewing the URL in the status bar. Most desktop email clients will display the same information in a mouse tooltip. Unfortunately, the status bar is often turned off by default in many browsers and must be enabled manually. Even though few people may take advantage of this feature, it is one of the only mechanisms to verify that a link that displays http://www.mybank.com/ does not in fact point to a clever facsimile that is a phishing site. None of the mobile email applications had the ability to display the full headers of an email, which is another method that can give an indication that an email might have been forged. Most Web mail services have an option to display full headers, although the feature is often difficult to locate.

Many mobile browsers also provide a feature to display the URL for a hyperlink. For example, on both the iPhone and the Android browsers, if the user clicks and holds a link in either the browser or email client the URL is then displayed in a separate window. The Blackberry is able to view the link by selecting a menu item. Both the iPhone and the Android devices truncated long URLs in the separate display. Only the BlackBerry browser was capable of displaying the full link, even for very long URLs. The iPhone display truncates the middle portion of long URLs and indicates the truncated portion with an ellipsis. The Android devices truncated the end of the URL, but provided no indication that the URL was truncated. Both the iPhone and the Android devices displayed more of the URL in landscape mode than portrait mode. The problem as described by Raff is more complicated as the phishing site may use a much longer URL that takes advantage of the truncated portion to hide the fact that the destination is not legitimate.

User testing shows that SSL certificate warnings are of limited use. The problem is described in detail in Crying Wolf: An Empirical Study of SSL Warning Effectiveness presented at the 2009 Usenix Security Symposium. There are currently so few means of verifying the authenticity of sessions on mobile sites, that these warnings should not be immediately discounted. Of the browsers on all three platforms tested, only the iPhone OS browser displayed an indicator that distinguished between standard SSL certificates and Extended Validation (EV) certificates. The Android and Blackberry devices did not make a distinction between the two types of certificates. All three browsers displayed warnings for mismatched SSL certificates. Every major desktop browser provides a mechanism to verify the authenticity of an SSL certificate, although only the Android browser provided this option on the mobile devices tested. The Android browser provided an additional indicator by displaying a lock with a question mark for sites where the hostname on the SSL certificate did not match the site.

The results from my limited test clearly indicate that the current generation of smartphones leaves much to be desired in terms of protection from phishing and other types of forged content. Support organizations should consider offering enhanced filtering for email and Web browsing on mobile devices until the situation improves. End-users should be even more critical of content viewed on a mobile device and should consider verifying the content via another channel when there is a high value transaction. This article provides an overview of a subset of the current problems on mobile devices. In future columns, I will cover additional problems with security on mobile devices including limited verification of SSL certificates in both email and for over the air provisioning mechanisms, and security concerns on devices such as the browsers available in hundreds of millions of gaming consoles.

* This article originally appeared as Smartphone Anti-Phishing Protection Leaves Much to Be Desired in the March 2010 issue of Messaging News

You should follow me on Twitter.