skip to main content
10.1145/3133956.3133987acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Hindsight: Understanding the Evolution of UI Vulnerabilities in Mobile Browsers

Published: 30 October 2017 Publication History

Abstract

Much of recent research on mobile security has focused on malicious applications. Although mobile devices have powerful browsers that are commonly used by users and are vulnerable to at least as many attacks as their desktop counterparts, mobile web security has not received the attention that it deserves from the community. In particular, there is no longitudinal study that investigates the evolution of mobile browser vulnerabilities over the diverse set of browsers that are available out there. In this paper, we undertake the first such study, focusing on UI vulnerabilities among mobile browsers. We investigate and quantify vulnerabilities to 27 UI-related attacks---compiled from previous work and augmented with new variations of our own---across 128 browser families and 2,324 individual browser versions spanning a period of more than 5 years. In the process, we collect an extensive dataset of browser versions, old and new, from multiple sources. We also design and implement a browser-agnostic testing framework, called Hindsight, to automatically expose browsers to attacks and evaluate their vulnerabilities. We use Hindsight to conduct the tens of thousands of individual attacks that were needed for this study. We discover that 98.6% of the tested browsers are vulnerable to at least one of our attacks and that the average mobile web browser is becoming less secure with each passing year. Overall, our findings support the conclusion that mobile web security has been ignored by the community and must receive more attention.

Supplemental Material

MP4 File

References

[1]
AdGuard. 2009--2017. ad blocker and anti-tracker. https://adguard.com/en/welcome.html. (2009--2017).
[2]
Chaitrali Amrutkar, Kapil Singh, Arunabh Verma, and Patrick Traynor. 2011. On the Disparity of Display Security in Mobile and Traditional Web Browsers. Technical Report. Georgia Institute of Technology.
[3]
Chaitrali Amrutkar, Kapil Singh, Arunabh Verma, and Patrick Traynor. 2012. VulnerableMe: Measuring systemic weaknesses in mobile browser security. In International Conference on Information Systems Security. Springer, 16--34.
[4]
Chaitrali Amrutkar, Patrick Traynor, and Paul C Van Oorschot. 2012. Measuring SSL indicators on mobile browsers: Extended life, or end of the road?. In International Conference on Information Security. Springer, 86--103.
[5]
Chaitrali Amrutkar, Patrick Traynor, and Paul C Van Oorschot. 2015. An empirical evaluation of security indicators in mobile Web browsers. IEEE Transactions on Mobile Computing 14, 5 (2015), 889--903.
[6]
Chaitrali Vijay Amrutkar. 2014. Towards secure web browsing on mobile devices. Ph.D. Dissertation. Georgia Institute of Technology.
[7]
Zineb Ait Bahajji and Gary Illyes. 2014. Google Webmaster Blog: HTTPS as a ranking signal. https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html. (2014).
[8]
Bugzilla@Mozilla. 2010. URL Display of Title instead of the URL Enables Phishing Attacks via URL Spoofng. https://bugzilla.mozilla.org/show_bug.cgi?id=605206. (2010).
[9]
Ping Chen, Nick Nikiforakis, Christophe Huygens, and Lieven Desmet. 2013. A Dangerous Mix: Large-scale analysis of mixed-content websites. In Proceedings vof the 16th Information Security Conference (ISC).
[10]
Erika Chin and David Wagner. 2013. Bifocals: Analyzing webview vulnerabilities in android applications. In International Workshop on Information Security Applications. Springer, 138--159.
[11]
CVE 2014. CVE-2014--6041 : The Android WebView in Android before 4.4 allows remote attackers to bypass the Same Origin Policy via a crafted attributes. http://www.cvedetails.com/cve/CVE-2014--6041/. (2014).
[12]
Peter Dolanjski and Tanvi Vyas. 2017. Mozilla Security Blog: Communicating the Dangers of Non-Secure HTTP. https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/. (2017).
[13]
Tesseract Open Source OCR Engine. 2017. Google. https://github.com/tesseract-ocr/tesseract. (2017).
[14]
Adrienne Porter Felt, Robert W Reeder, Alex Ainslie, Helen Harris, Max Walker, Christopher Thompson, Mustafa Embre Acer, Elisabeth Morant, and Sunny Consolvo. 2016. Rethinking connection security indicators. In Twelfth Symposium on Usable Privacy and Security (SOUPS).
[15]
Adrienne Porter Felt and David Wagner. 2011. Phishing on mobile devices. In Proceedings of the Web 2.0 Security and Privacy Workshop.
[16]
Anthony Y Fu, Xiaotie Deng, Liu Wenyin, and Greg Little. 2006. The methodology and an application to fight against unicode attacks. In Proceedings of the second symposium on Usable privacy and security. ACM, 91--101.
[17]
Google Play store. 2017. CM Browser - Adblock Download. https://play. google.com/store/apps/details?id=com.ksmobile.cb. (2017).
[18]
Google Play store. 2017. Dolphin - Best Web Browser. https://play.google.com/store/apps/details?id=mobi.mgeek.TunnyBrowser. (2017).
[19]
Google Play store. 2017. Google Play store: Fastest Mini Browser. https://play.google.com/store/apps/details?id=com.mmbox.browser. (2017).
[20]
Google Play store. 2017. Google Play store: Ghostery Privacy Browser.https://play.google.com/store/apps/details?id=com.ghostery.android.ghostery. (2017).
[21]
Google Play store. 2017. Opera Mini - fast web browser. https://play.google.com/store/apps/details?id=com.opera.mini.native. (2017).
[22]
Google Play store. 2017. UC Browser - Fast Download. https://play.google.com/store/apps/details?id=com.UCMobile.intl. (2017).
[23]
Charlie Hothersall-Thomas, Sergio Maffeis, and Chris Novakovic. 2015. Browser-Audit: Automated Testing of Browser Security Features. In Proceedings of the International Symposium on Software Testing and Analysis (ISSTA).
[24]
Jason Kersey. 2013. Chrome for Android Update. http://googlechromereleases.blogspot.com/2013/11/chrome-for-android-update.html. (2013).
[25]
Let's Encrypt - Free SSL/TLS Certificates. 2017. https://letsencrypt.org/.(2017).
[26]
Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin. 2011. Attacks on WebView in the Android system. In Proceedings of the 27th Annual Computer Security Applications Conference. ACM, 343--352.
[27]
Tongbo Luo, Xing Jin, Ajai Ananthanarayanan, and Wenliang Du. 2013. Touch-jacking attacks on web in android, ios, and windows phone. In Foundations and Practice of Security. Springer, 227--243.
[28]
Moxie Marlinspike. 2009. More tricks for defeating SSL in practice. Black Hat USA (2009).
[29]
Matthias Neugschwandtner, Martina Lindorfer, and Christian Platzer. 2013. A View to a Kill: WebView Exploitation. In LEET.
[30]
Yuan Niu, Francis Hsu, and Hao Chen. 2008. iPhish: Phishing Vulnerabilities on Consumer Electronics. In Proceedings of the Usability, Psychology, and Security Workshop (UPSEC).
[31]
Google Cloud Platform. 2017. Cloud Vision API Documentation. https://cloud.google.com/vision/docs/. (2017).
[32]
Gustav Rydstedt, Baptiste Gourdin, Elie Bursztein, and Dan Boneh. 2010. Framing attacks on smart phones and dumb routers: tap-jacking and geo-localization attacks. In Proceedings of the 4th USENIX Workshop On Offensive technologies(WOOT). USENIX Association, 1--8.
[33]
Emily Schechter. 2016. Google Security Blog: Moving towards a more secure web. https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html. (2016).
[34]
Selenium. 2017. Selenium Webdriver. http://www.seleniumhq.org/projects/webdriver/. (2017).
[35]
Kapil Singh, Alexander Moshchuk, Helen J Wang, and Wenke Lee. 2010. On the incoherencies in web browser access control policies. In Security and Privacy (SP), 2010 IEEE Symposium on. IEEE, 463--478.
[36]
Suphannee Sivakorn, Jason Polakis, and Angelos D. Keromytis. 2016. The Cracked Cookie Jar: HTTP Cookie Hijacking and the Exposure of Private Information. In In Proceedings of the 37th IEEE Symposium on Security and Privacy (S&P '16).
[37]
Joshua Sunshine, Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor. 2009. Crying Wolf: An Empirical Study of SSL Warning Effectiveness. In USENIX security symposium. 399--416.
[38]
W3C. 2010. Web Security Context: User Interface Guidelines. https://www.w3.org/TR/wsc-ui/. (2010).
[39]
Xiaofeng Zheng, Jian Jiang, Jinjin Liang, Haixin Duan, Shuo Chen, Tao Wan, and Nicholas Weaver. 2015. Cookies Lack Integrity: Real-World Implications. In 24th USENIX Security Symposium (USENIX Security 15).
[40]
Yuchen Zhou and David Evans. 2010. Why aren't HTTP-only cookies more widely deployed. Proceedings of 4th Web 2 (2010).

Cited By

View all
  • (2024)When the user is inside the user interfaceProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699052(2707-2723)Online publication date: 14-Aug-2024
  • (2024)Tabbed Out: Subverting the Android Custom Tab Security Model2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00105(4591-4609)Online publication date: 19-May-2024
  • (2024)Secure Storage of Crypto Wallet Seed Phrase Using ECC and Splitting TechniqueIEEE Open Journal of the Computer Society10.1109/OJCS.2024.33987945(278-289)Online publication date: 2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security
October 2017
2682 pages
ISBN:9781450349468
DOI:10.1145/3133956
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2017

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. hindsight
  2. mobile browser security
  3. phishing attacks
  4. user interface
  5. vulnerability testing

Qualifiers

  • Research-article

Funding Sources

  • NSF CISE Research Infrastructure Grant
  • The National Science Foundation (NSF)
  • The Office of Naval Research (ONR)

Conference

CCS '17
Sponsor:

Acceptance Rates

CCS '17 Paper Acceptance Rate 151 of 836 submissions, 18%;
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)38
  • Downloads (Last 6 weeks)0
Reflects downloads up to 16 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)When the user is inside the user interfaceProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699052(2707-2723)Online publication date: 14-Aug-2024
  • (2024)Tabbed Out: Subverting the Android Custom Tab Security Model2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00105(4591-4609)Online publication date: 19-May-2024
  • (2024)Secure Storage of Crypto Wallet Seed Phrase Using ECC and Splitting TechniqueIEEE Open Journal of the Computer Society10.1109/OJCS.2024.33987945(278-289)Online publication date: 2024
  • (2024)Dynamic Security Analysis on Android: A Systematic Literature ReviewIEEE Access10.1109/ACCESS.2024.339061212(57261-57287)Online publication date: 2024
  • (2023)Understanding the Inconsistencies in the Permissions Mechanism of Web BrowsersJournal of Information Processing10.2197/ipsjjip.31.62031(620-642)Online publication date: 2023
  • (2021)On the Usability (In)Security of In-App Browsing Interfaces in Mobile AppsProceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3471621.3471625(386-398)Online publication date: 6-Oct-2021
  • (2021)Challenges and pitfalls in malware researchComputers and Security10.1016/j.cose.2021.102287106:COnline publication date: 1-Jul-2021
  • (2021)Mobile Voting – Still Too Risky?Financial Cryptography and Data Security. FC 2021 International Workshops10.1007/978-3-662-63958-0_23(263-278)Online publication date: 1-Mar-2021
  • (2021)Digging Deeper: An Analysis of Domain Impersonation in the Lower DNS HierarchyDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-030-80825-9_4(68-87)Online publication date: 14-Jul-2021
  • (2021)Brand Validation: Security Indicator to Better Indicate Website IdentityHCI for Cybersecurity, Privacy and Trust10.1007/978-3-030-77392-2_28(432-447)Online publication date: 24-Jul-2021
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media