Vulnerabilities in mobile Web browsers pose a major threat to cellphone security and could lead to an increasing number of successful attacks in 2012, researchers are warning. Both your smartphone's default browser and browsers embedded within apps are possible attack points.
Mobile apps are increasingly reliant on Web browsers, Georgia Tech security researchers said in their Emerging Cyber Threats Report for 2012. Mobile devices and the browsers used on them often do not receive patches and updates, and “while computers can be manually configured not to trust compromised certificates or can receive a software patch in a matter of days, it can take months to remediate the same threat on mobile devices—leaving mobile users vulnerable in the meantime,” the researchers write.
The majority of Android phones still run Android 2.2 or earlier, which is more than a year old, because updates are highly dependent on carriers and phone manufacturers. While we saw this week that the iPhone update process can go seriously awry, Apple does attempt to make updates available to all users at once. Microsoft took a similar approach with the latest upgrade to Windows Phone, with the vast majority of users being given the option to update within a few weeks of the new software version’s release.
Out of the major smartphone platforms, Google’s Android has often been criticized for its security because of malware found in applications published on the Android Market. “Unlike Apple's App Store and Microsoft's Marketplace, which both have strict eligibility requirements and mandate that programs are restricted only to a limited set of APIs, in the Android Market essentially anything goes,” Ars noted in March after 21 applications were pulled from the Android Market because they contained malware.
The Georgia Tech researchers point to data theft as the primary goal in new types of mobile attacks, with scenarios including “Exploiting a mobile browser vulnerability to get a remote shell that enables the attacker to remotely run commands on the phone OS [and] compound threats that use SMS, e-mail and the mobile Web browser to launch an attack, then silently record and steal data.” With the address bar in a mobile browser often disappearing after several seconds of use, “many of the visual cues users rely on to confirm the safety of their online location” go away, they said.
Georgia Tech researchers said attackers are increasingly targeting both Android and Apple’s iOS. But separately from the Georgia Tech report, a new paper to be presented at the Annual Computer Security Applications Conference highlights security problems related to WebView, software that lets developers embed browsers in Android applications. Syracuse University computer science professor Wenliang Du found that “in the Android market, 86 percent of the top 20 most-downloaded apps in 10 diverse categories use WebView. With the goal of creating dynamic apps, WebView has enabled developers to embed browsers in their apps allowing users to have a more customized experience that provides opportunities to interact with social media, personal email and other app users.” But this makes it difficult for users to determine which apps to trust.
WebView results in “thousands of browser applications on mobile platforms and there is no way to determine which apps are trustworthy,” the researcher argues. “Malicious app developers could create apps that steal or modify users' information in their online accounts, such as Facebook.”
Moreover, apps relying on a WebView browser lose sandboxing protection, argues Du, who has submitted a proposal to Google to explore whether the positive features of WebView can be preserved, but with better security.
With personally owned smartphones increasingly being hooked up to corporate e-mail systems, we’re seeing several attempts to lock them down. VMware, for example, is working on a mobile virtualization platform for Android that will allow personal and work environments to be isolated from each other by separating them into two virtual machines. The Georgia Tech report notes that some corporations, such as Equifax, already use technology that encapsulates and encrypt the corporate portion of an employee’s smartphone.