Researchers from the Georgia Institute of Technology have discovered that almost all browsers currently used in smartphones and tablets are unsafe, so much so that even cyber-security experts are unable to detect when they are visiting potentially dangerous websites.
The study by Dr. Patrick Traynor and Ph.D student Chaitrali Amrutkar tested the following browsers for compliance with the 2008 security guidelines recommended by the World Wide Web Consortium (W3C) for browser safety:
Further reading
Android devices most at risk from mobile malware Google and Mozilla draw battle lines in mobile browser wars IE9 thrashes rival browsers in security contest
Android; BlackBerry Mango; BlackBerry Webkit; Chrome Beta; Firefox Mobile; iPhone Safari; Opera Mini; Opera Mobile; Windows IE Mobile; and Safari on iPad 2.
For comparision, they also tested five leading desktop browsers.
"Whereas desktop browsers largely conform to these guidelines, mobile and tablet browsers fail to do so in numerous instances," Traynor and Amruktar said in a statement.
"The basic question we asked was, 'does this browser provide enough information for even an information-security expert to determine security standing?' With all 10 of the leading browsers on the market today, the answer was no."
The main reason for this disparity, they say, is screen size. The lack of space presents mobile browser designers with much more of a challenge when consistently displaying common visual indicators for safe browsing - such as the padlock symbol or the HTTPS URL prefix.
These indicators of SSL (secure sockets layer) and TLS (transport layer security) serve to assure users that their connection to the destination website is secure (important in blocking sidejacking and man-in-the-middle attacks), and that the site is actually the one they intended to visit rather than the sort of spoof site used for phishing attacks.
"We understand the dilemma facing designers of mobile browsers, and it looks like all of them tried to do the best they could in balancing everything that has to fit within those small screens," said Traynor, going on to mention that so far brower designers have failed to represent these symbols in a consistent way.
"Many of the clues experts instruct average users to look for can no longer be reliably found on these platforms. But the fact is that all of them ended up doing something just a little different - and all inferior to desktop browsers."
Separate research from internet security firm Trusteer indicates that mobile users may be three times more likely to fall victim to email phishing attacks, possibly because they are "always on" and are thus more likely to read emails as soon as they arrive. This rapid response to emails actually makes mobile users more vulnerable because phishing attacks often occur in a narrow timeframe, since ISPs and web hosts actively watch for phishing-style activity and block phishing sites as soon as they are discovered.
Because mobile users are more vulnerable, consistent visual security indicators in mobile browsers are all the more important. The researchers believe that rival browser vendors need to come together to agree standards.
"With a little coordination, we can do a better job and make mobile browsing a safer experience for all users," said Traynor.
