Last month, a Georgia Tech study found that mobile browsers frequently left even expert users insufficient information to judge if a site was potentially dangerous, because of user interface limitations.
The item that is most problematic is how SSL information is displayed. Compared to desktops, mobile browsers have far more limited ways to show if a site is using SSL. While the basic padlock is displayed if SSL is being used, other more advanced features may not be immediately apparent. For example, desktop browsers highlight the organization for extended-validation certificates quite prominently; for mobile browsers this is not always immediately apparent.
The reason for this is simple: user interface limitations. The space on a mobile device is much more limited compared to any conventional PC; in addition the interfaces of mobile UIs tend to be explicitly designed with simplicity in mind. This may limit the amount of information the user is shown in the browser that would be able to help them judge if a site is real or not.
This may be why studies suggest that mobile users are more likely to fall victim to phishing attacks than desktop users. More than the technical reasons, however, user attitudes may be responsible.
It’s very easy for users to consider mobile devices as simple devices that “just work” and don’t pose a security risk. Nothing could be further from the truth. Today’s mobile devices are full-fledged computers, with all the capabilities that implies. A mobile browser is as capable of running advanced scripts as a desktop browser. As our Product Manager Warren Tsai noted at an APEC workshop in April, “The mobile browser is super capable and the performance is as powerful as the desktop.”
Most of the time, this is a good thing. This allows ever more useful sites to be built to serve mobile users better. However, any legitimate capability can, and will, be abused. So we have a bad combination of powerful browsers with trusting users. This is a formula for trouble, as the studies above indicate.
To be fair, there are reasons the potential problems of mobile web usage has not become a huge problem yet. For complex transactions like online banking, other requirements like authentication tokens mean that for many people it’s still preferable to do so via a conventional PC. Even users who prefer mobile devices for these uses are more likely to use an app instead of a mobile browser.
Attackers are also largely ignoring the mobile web for the simple reason that it’s so much smaller than the desktop web. Current browser usage stats bear this out, with almost 87% of browser usage coming from desktops just this past November.
What should users do? The most important thing to realize that yes, you are still at risk if you use your mobile device. Behave accordingly: don’t open that suspicious email. Don’t click that suspicious link. If in doubt, don’t touch it. (Made-for-the-purpose apps are not a cure-all either; David Sancho looked at this several months ago and found that some apps were just as insecure, too.)
Mobile browser security leaves much to be desired, but it hasn’t become a serious problem yet. However, the more these holes are left open, the more likely it is they will eventually be exploited – and turn into another serious security problem for mobile users.