Smartphone Web browsers could become major attack vector, security researchers warn

Smartphone Web browsers could become major attack vector, security researchers warnVulnerabilities in mobile Web browsers pose a major threat to cellphone security and could lead to an increasing number of successful attacks in 2012, researchers are warning. Both your smartphone's default browser and browsers embedded within apps are possible attack points.

Mobile apps are increasingly reliant on Web browsers, Georgia Tech security researchers said in their Emerging Cyber Threats Report for 2012. Mobile devices and the browsers used on them often do not receive patches and updates, and while computers can be manually configured not to trust compromised certificates or can receive a software patch in a matter of days, it can take months to remediate the same threat on mobile devicesleaving mobile users vulnerable in the meantime, the researchers write.

The majority of Android phones still run Android 2.2 or earlier, which is more than a year old, because updates are highly dependent on carriers and phone manufacturers. While we saw this week that the iPhone update process can go seriously awry, Apple does attempt to make updates available to all users at once. Microsoft took a similar approach with the latest upgrade to Windows Phone, with the vast majority of users being given the option to update within a few weeks of the new software versions release.

Out of the major smartphone platforms, Googles Android has often been criticized for its security because of malware found in applications published on the Android Market. Unlike Apple's App Store and Microsoft's Marketplace, which both have strict eligibility requirements and mandate that programs are restricted only to a limited set of APIs, in the Android Market essentially anything goes, Ars noted in March after 21 applications were pulled from the Android Market because they contained malware.

The Georgia Tech researchers point to data theft as the primary goal in new types of mobile attacks, with scenarios including Exploiting a mobile browser vulnerability to get a remote shell that enables the attacker to remotely run commands on the phone OS [and] compound threats that use SMS, e-mail and the mobile Web browser to launch an attack, then silently record and steal data. With the address bar in a mobile browser often disappearing after several seconds of use, many of the visual cues users rely on to confirm the safety of their online location go away, they said.

Georgia Tech researchers said attackers are increasingly targeting both Android and Apples iOS. But separately from the Georgia Tech report, a new paper to be presented at the Annual Computer Security Applications Conference highlights security problems related to WebView, software that lets developers embed browsers in Android applications. Syracuse University computer science professor Wenliang Du found that in the Android market, 86 percent of the top 20 most-downloaded apps in 10 diverse categories use WebView. With the goal of creating dynamic apps, WebView has enabled developers to embed browsers in their apps allowing users to have a more customized experience that provides opportunities to interact with social media, personal email and other app users. But this makes it difficult for users to determine which apps to trust.

WebView results in thousands of browser applications on mobile platforms and there is no way to determine which apps are trustworthy, the researcher argues. Malicious app developers could create apps that steal or modify users' information in their online accounts, such as Facebook.

Moreover, apps relying on a WebView browser lose sandboxing protection, argues Du, who has submitted a proposal to Google to explore whether the positive features of WebView can be preserved, but with better security.

With personally owned smartphones increasingly being hooked up to corporate e-mail systems, were seeing several attempts to lock them down. VMware, for example, is working on a mobile virtualization platform for Android that will allow personal and work environments to be isolated from each other by separating them into two virtual machines. The Georgia Tech report notes that some corporations, such as Equifax, already use technology that encapsulates and encrypt the corporate portion of an employees smartphone.

Source: Ars Technica

Tags: browsers, hackers

Comments
Add comment

Your name:
Sign in with:
or
Your comment:


Enter code:

E-mail (not required)
E-mail will not be disclosed to the third party


Last news

 
Consumer group recommends iPhone 8 over anniversary model
 
LTE connections wherever you go and instant waking should come to regular PCs, too
 
That fiction is slowly becoming a reality
 
The Snapdragon 845 octa-core SoC includes the Snapdragon X20 LTE modem
 
Human moderators can help make YouTube a safer place for everyone
 
Google says Progressive Web Apps are the future of app-like webpages
 
All 2018 models to sport the 'notch'
 
The biggest exchange in South Korea, where the BTC/KRW pair is at $14,700 now
The Samsung Galaxy A5 (2017) Review
The evolution of the successful smartphone, now with a waterproof body and USB Type-C
February 7, 2017 /
Samsung Galaxy TabPro S - a tablet with the Windows-keyboard
The first Windows-tablet with the 12-inch display Super AMOLED
June 7, 2016 /
Keyboards for iOS
Ten iOS keyboards review
July 18, 2015 /
Samsung E1200 Mobile Phone Review
A cheap phone with a good screen
March 8, 2015 / 4
Creative Sound Blaster Z sound card review
Good sound for those who are not satisfied with the onboard solution
September 25, 2014 / 2
Samsung Galaxy Gear: Smartwatch at High Price
The first smartwatch from Samsung - almost a smartphone with a small body
December 19, 2013 /
 
 

News Archive

 
 
SuMoTuWeThFrSa
     12
3456789
10111213141516
17181920212223
24252627282930
31      




Poll

Do you use microSD card with your phone?
or leave your own version in comments (4)