Georgia Tech: mobile browsers fail security test

Researchers find lack of consistency can put consumers at risk

If you use online banking, your bank has probably encouraged you to sign up for mobile banking. Other financial services companies make it easy for customers to access they accounts with mobile devices.

But researchers at Georgia Tech say that when they conducted a test, even their cyber-security experts were unable to detect when their smartphone browsers had landed on potentially dangerous Websites. In other words, the site that was supposed to be a bank's Website sometimes wasn't.

Just like desktop systems, mobile browsers use a range of security tools to make mobile Web-browsing secure. However in one critical area that informs user decisions, Georgia Tech researchers found a glaring problem.

Strict guidelines for browsers

When it comes to the incorporation of tiny graphical indicators in a browser's URL field, all of the leading mobile browsers fail to meet security guidelines recommended by the World Wide Web Consortium (W3C) for browser safety. Even expert users say they have no way to determine if the Websites they visit are real or imposter sites phishing for personal data.

"We found vulnerabilities in all 10 of the mobile browsers we tested, which together account for more than 90 percent of the mobile browsers in use today in the United States," said Patrick Traynor, assistant professor in Georgia Tech's School of Computer Science. "The basic question we asked was, "Does this browser provide enough information for even an information-security expert to determine security standing?' With all 10 of the leading browsers on the market today, the answer was no."

Graphic icons mean the site is secure

When desktop users visit a site where they will enter sensitive information, there are graphic icons and other indicators that the site is secure. The tiny "lock" icon that typically appears in a desktop browser window when users are providing payment information in an online transaction is one example of a security indicator. Another is the "https" keyword that appears in the beginning of a desktop browser's URL field.

The W3C has issued specific recommendations for how these indicators should be built into a browser's user interface, and for the most part, Traynor said, desktop browsers do a good job of following those recommendations. In mobile browsers, however, the guidelines are followed inconsistently at best and often not at all.

One problem is the smaller screen size. Sometimes there isn't room to incorporate the indicators in same way as with desktop browsers. However, given that mobile devices are widely predicted to face more frequent attacks from cyber-criminals, the vulnerability is almost sure to lead to increased cyber-crime unless it is addressed, the researchers warn.

Best efforts fall short

Traynor said it appears mobile browser designers did the best they could, considering the constraints of the small screen.

"But the fact is that all of them ended up doing something just a little different -- and all inferior to desktop browsers," he said. "With a little coordination, we can do a better job and make mobile browsing a safer experience for all users."

It's important, he says, because research has shown that mobile browser users are three times more likely to access phishing sites than users of desktop browsers.

How they voted

Yes

Yes