Chaitrali Amrutkar

Measuring SSL indicators on mobile browsers: extended life, or end of the road?

Mobile browsers are increasingly being relied upon to perform security sensitive operations. Like their desktop counterparts, these applications can enable SSL/TLS to provide strong security guarantees for communications over the web. However, the drastic reduction in screen size and the accompanying reorganization of screen real estate significantly changes the use and consistency of the security indicators and certificate information that alert users of site identity and the presence of strong cryptographic algorithms. In this paper, we perform the first measurement of the state of critical security indicators in mobile browsers. We evaluate ten mobile and two tablet browsers, representing over 90% of the market share, using the recommended guidelines for web user interface to convey security set forth by the World Wide Web Consortium (W3C). While desktop browsers follow the majority of guidelines, our analysis shows that mobile browsers fall significantly short. We also observe notable inconsistencies across mobile browsers when such mechanisms actually are implemented. Finally, we use this evidence to argue that the combination of reduced screen space and an independent selection of security indicators not only make it difficult for experts to determine the security standing of mobile browsers, but actually make mobile browsing more dangerous for average users as they provide a false sense of security.

An Empirical Evaluation of Security Indicators in Mobile Web Browsers

Mobile browsers are increasingly being relied upon to perform security sensitive operations. Like their desktop counterparts, these applications can enable SSL/TLS to provide strong security guarantees for communications over the web. However, the drastic reduction in screen size and the accompanying reorganization of screen real-estate significantly changes the use and consistency of the security indicators and certificate information that alert users of site identity and the presence of strong cryptographic algorithms. In this paper, we perform the first measurement of the state of critical security indicators in mobile browsers. We evaluate ten mobile and two tablet browsers, representing over 90% of the market share, against the recommended guidelines for web user interface to convey security set forth by the World Wide Web Consortium (W3C). While desktop browsers follow the majority of guidelines, our analysis shows that mobile browsers fall significantly short. We also observe notable inconsistencies across mobile browsers when such mechanisms actually are implemented. We show where and how these failures on mobile browsers eliminate clues previously designed for, and still present in, desktop browsers to detect attacks such as phishing and man-in-the-middle. Finally, we offer advice on where current standards are unclear or incomplete.

For your phone only: custom protocols for efficient secure function evaluation on mobile devices

Mobile applications increasingly require users to surrender private information, such as GPS location or social networking data. To facilitate user privacy when using these applications, secure function evaluation SFE could be used to obliviously compute functions over encrypted inputs. The dominant construction for desktop applications is the Yao garbled circuit, but this technique requires significant processing power and network overhead, making it extremely expensive on resource-constrained mobile devices. In this work, we develop Efficient Mobile Oblivious Computation, a set of SFE protocols customized for the mobile platform. Using partially homomorphic cryptosystems, we develop protocols to meet the needs of two popular application types: location-based and social networking. Using these applications as comparison benchmarks, we demonstrate execution time improvements of 99% and network overhead improvements of 96% over the most optimized garbled circuit techniques. These results show that our protocols provide mobile application developers with a more practical and equally secure alternative to garbled circuits. Copyright

From mobile phones to responsible devices

Mobile phones have evolved from simple voice terminals into highly-capable, general-purpose computing platforms. While people are becoming increasingly more dependent on such devices to perform sensitive operations, protect secret data, and be available for emergency use, it is clear that phone operating systems are not ready to become mission-critical systems. Through a pair of vulnerabilities and a simulated attack on a cellular network, we demonstrate that there are a myriad of unmanaged mechanisms on mobile phones, and that control of these mechanisms is vital to achieving reliable use. Through such vectors, mobile phones introduce a variety of new threats to their own applications and the telecommunications infrastructure itself. In this paper, we examine the requirements for providing effective mediation and access control for mobile phones. We then discuss the convergence of cellular networks with the Internet and its impact on effective resource management and quality of service. Based on these results, we argue for user devices that enable predictable behavior in a network—where their trusted computing bases can protect key applications and create predictable network impact. Copyright

A security evaluation of IMS deployments

The IP multimedia subsystem (IMS) portends major changes for all parties involved in the exchange of digital content and services. As the IMS architecture moves from specifications to implementations, real-world considerations can influence deployments in ways that have noteworthy security implications. In this work, we present and exemplify a systematic security evaluation of IMS deployments using a threat modeling approach. We also offer suggestions for possible mitigations where appropriate. The experiments conducted are on a production-class IMS deployment and a separate IMS testing environment.

VulnerableMe: Measuring Systemic Weaknesses in Mobile Browser Security

Porting browsers to mobile platforms may lead to new vulnerabilities whose solutions require careful balancing between usability and security and might not always be equivalent to those in desktop browsers. In this paper, we perform the first large-scale security comparison between mobile and desktop browsers. We focus our efforts on display security given the inherent screen limitations of mobile phones. We evaluate display elements in ten mobile, three tablet and five desktop browsers. We identify two new classes of vulnerabilities specific to mobile browsers and demonstrate their risk by launching real-world attacks including display ballooning, login CSRF and clickjacking. Additionally, we implement a new phishing attack that exploits a default policy in mobile browsers. These previously unknown vulnerabilities have been confirmed by browser vendors. Our observations, inputs from browser vendors and the pervasive nature of the discovered vulnerabilities illustrate that new implementation errors leading to serious attacks are introduced when browser software is ported from the desktop to mobile environment. We conclude that usability considerations are crucial while designing mobile solutions and display security in mobile browsers is not comparable to that in desktop browsers.

Why is my smartphone slow? On the fly diagnosis of underperformance on the mobile Internet

The perceived end-to-end performance of the mobile Internet can be impacted by multiple factors including websites, devices, and network components. Constant changes in these factors and network complexity make identifying root causes of high latency difficult. In this paper, we propose a multidimensional diagnosis technique using passive IP flow data collected at ISPs for investigating factors that impact the performance of the mobile Internet. We implement and evaluate our technique over four days of data from a major US cellular providers network. Our approach identifies several combinations of factors affecting performance. We investigate four combinations indepth to confirm the latency causes chosen by our technique. Our findings include a popular gaming website showing poor performance on a specific device type for over 50% of the flows and web browser traffic on older devices accounting for 99% of poorly performing traffic. Our technique can direct operators in choosing factors having high impact on latency in the mobile Internet.

Short paper: rethinking permissions for mobile web apps: barriers and the road ahead

The distinction between mobile applications built for specific platforms and that run in mobile browsers is increasingly being blurred. As HTML5 becomes universally deployed and mobile web apps directly take advantage of device features such as the camera, microphone and geolocation information, this difference will vanish almost entirely. In spite of this increasing similarity, the permission systems protecting mobile device resources for native1 and web apps are dramatically different. In this position paper, we argue that the increasing indistinguishability between such apps coupled with the dynamic nature of mobile web apps calls for reconsidering the current permission model for mobile web apps. We first discuss factors associated with securing mobile web apps in comparison to traditional apps. We then propose a mechanism that presents a holistic view of the permissions required by a web app and provides a simple, single-stop permission management process. We then briefly discuss issues surrounding the use and deployment of this technique. In so doing, we argue that in the absence of an in-cloud security model for mobile web apps, client side defenses are limited. Our model can provide users with a better chance of making informed security decisions and may also aid researchers in assessing security of mobile web apps.

Detecting Mobile Malicious Webpages in Real Time

Mobile specific webpages differ significantly from their desktop counterparts in content, layout, and functionality. Accordingly, existing techniques to detect malicious websites are unlikely to work for such webpages. In this paper, we design and implement kAYO, a mechanism that distinguishes between malicious and benign mobile webpages. kAYO makes this determination based on static features of a webpage ranging from the number of iframes to the presence of known fraudulent phone numbers. First, we experimentally demonstrate the need for mobile specific techniques and then identify a range of new static features that highly correlate with mobile malicious webpages. We then apply kAYO to a dataset of over 350,000 known benign and malicious mobile webpages and demonstrate 90 percent accuracy in classification. Moreover, we discover, characterize, and report a number of webpages missed by Google Safe Browsing and VirusTotal, but detected by kAYO. Finally, we build a browser extension using kAYO to protect users from malicious mobile websites in real-time. In doing so, we provide the first static analysis technique to detect malicious mobile webpages.