Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Watered Down Phishing Protection in iPhone OS 3.X?
- From: Howell, Paul
- Date: Thu Sep 10 14:58:38 2009
At
http://research.zscaler.com/2009/09/watered-down-phishing-protection-in.
html
WEDNESDAY, SEPTEMBER 9, 2009
Watered Down Phishing Protection in iPhone OS 3.X?
[Update: 09-10-09 @ 2:39pm EST - Today, we're seeing inconsistent
results. Sites that were yesterday confirmed not to be blocked by Mobile
Safari (iPhone OS 3.1), despite being block by Safari in OS X, are now
being blocked yet others are not. For example,
http://kingsofaldora.atspace.com/ is now being blocked (wasn't
yesterday) and http://1001porngalleries.com/ is still not being blocked
on the iPhone, despite being blocked by Safari for OS X. We'll need to
hear from Apple to know for sure but I suspect that the failed blocking
is related to phishing updates not being delivered to the iPhone as
opposed to as issue with the functionality itself.]
I've complained in the past that mobile browser vendors have not learned
from past mistakes. Despite the fact that functionality such as phishing
and malicious URL black lists are now common place in mobile web
browsers, their mobile counterparts have virtually no security controls
whatsoever. I was encouraged when Apple announced anti-phishing
protection with the release of iPhone OS 3.0.
iPhone OS 3.0 was released on June 17, 2009 - three months ago. Despite
that fact, I don't recall ever having received a phishing block message
on the iPhone. Today, Apple released iPhone OS 3.1 and once again
specifically called out phishing protection. In fact, within the Safari
settings, there is now a Security section with a Fraud Warning option.
By selecting this option, which is on by default, you will be "warn[ed]
when visiting fraudulent websites". Sounds great. The problem? It
doesn't work.
Apple's Safari web browser, leverages Google's SafeBrowsing initiative
to block both malicious URLs and phishing sites. Not so for mobile
Safari on the iPhone. Apple has only chosen to only target phishing
sites on the iPhone. While Apple would likely argue that malicious
content on web sites target browser specific vulnerabilities, that's not
much of an argument. Attacks that I refer to as naked browser attacks
such as cross-site scripting (XSS), cross-site request forgery (CSRF)
and Clickjacking don't discriminate - they impact all browsers equally.
Moreover, past Apple vulnerabilities suggest that there is no shortage
of code sharing between the iPhone OS and OS X. After all, the initial
iPhone jailbreaks leveraged a known vulnerable TIFF rendering library.
Beyond this, the phishing protection on the iPhone is ineffective. I've
tested a variety of online/validated phishing sites from PhishTank. They
were generally blocked by Safari, but none were blocked by Safari
Mobile. In fact, I have yet to identify a single phishing page blocked
on the iPhone. What's clear here is that the functionality for the
iPhone is not equivalent to what is being employed by OS X. Why? Apple
touts Mobile Safari as the killer app that finally makes surfing the web
on a mobile device a realistic proposition and the numbers back up that
claim. Surely I can be phished on the iPhone just as I can fall victim
browsing the web on my laptop.
If you identify phishing sites blocked by the iPhone OS 3.1 software,
please post the link to the blog comments. If you work for Apple, please
comment on why you went with watered down phishing protection on the
iPhone.
- michael
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
