Meng Luo (Stony Brook University), Pierre Laperdrix (Stony Brook University), Nima Honarmand (Stony Brook University), Nick Nikiforakis (Stony Brook University)

Recent market share statistics show that mobile device traffic has overtaken
that of traditional desktop computers. Users spend an increasing amount of time
on their smartphones and tablets, while the web continues to be the platform
of choice for delivering new applications to users. In this environment, it
is necessary for web applications to utilize all the tools at their disposal
to protect mobile users against popular web application attacks.
In this paper, we perform the first study of the support of popular
web-application security mechanisms (such as the Content-Security
Policy, HTTP Strict Transport Security, and Referrer Policy) across
mobile browsers. We design 395 individual tests covering 8
different security mechanisms, and utilize them to evaluate the
security-mechanism support in the 20 most popular browser families on
Android. Moreover, by collecting and testing browser versions from the
last seven years, we evaluate a total of 351 unique browser versions
against the aforementioned tests, collecting more than 138K test
results.

By analyzing these results, we find that, although mobile browsers
generally support more security mechanisms over time, not all browsers
evolve in the same way. We discover popular browsers, with millions
of downloads, which do not support the majority of the tested
mechanisms, and identify design choices, followed by the majority of
browsers, which leave hundreds of popular websites open to
clickjacking attacks. Moreover, we discover the presence of multi-year
vulnerability windows between the time when popular websites start
utilizing a security mechanism and when mobile browsers enforce it.
Our findings highlight the need for continuous security testing of
mobile web browsers, as well as server-side frameworks which can adapt
to the level of security that each browser can guarantee.

View More Papers

Thunderclap: Exploring Vulnerabilities in Operating System IOMMU Protection via...

A. Theodore Markettos (University of Cambridge), Colin Rothwell (University of Cambridge), Brett F. Gutstein (Rice University), Allison Pearce (University of Cambridge), Peter G. Neumann (SRI International), Simon W. Moore (University of Cambridge), Robert N. M. Watson (University of Cambridge)

Read More

Understanding Open Ports in Android Applications: Discovery, Diagnosis, and...

Daoyuan Wu (Singapore Management University), Debin Gao (Singapore Management University), Rocky K. C. Chang (The Hong Kong Polytechnic University), En He (China Electronic Technology Cyber Security Co., Ltd.), Eric K. T. Cheng (The Hong Kong Polytechnic University), Robert H. Deng (Singapore Management University)

Read More

Oligo-Snoop: A Non-Invasive Side Channel Attack Against DNA Synthesis...

Sina Faezi (University of California, Irvine), Sujit Rokka Chhetri (University of California, Irvine), Arnav Vaibhav Malawade (University of California, Irvine), John Charles Chaput (University of California, Irvine), William Grover (University of California, Riverside), Philip Brisk (University of California, Riverside), Mohammad Abdullah Al Faruque (University of California, Irvine)

Read More

Cracking the Wall of Confinement: Understanding and Analyzing Malicious...

Eihal Alowaisheq (Indiana University, King Saud University), Peng Wang (Indiana University), Sumayah Alrwais (King Saud University), Xiaojing Liao (Indiana University), XiaoFeng Wang (Indiana University), Tasneem Alowaisheq (Indiana University, King Saud University), Xianghang Mi (Indiana University), Siyuan Tang (Indiana University), Baojun Liu (Tsinghua University)

Read More