Meng Luo (Stony Brook University), Pierre Laperdrix (Stony Brook University), Nima Honarmand (Stony Brook University), Nick Nikiforakis (Stony Brook University)

Recent market share statistics show that mobile device traffic has overtaken
that of traditional desktop computers. Users spend an increasing amount of time
on their smartphones and tablets, while the web continues to be the platform
of choice for delivering new applications to users. In this environment, it
is necessary for web applications to utilize all the tools at their disposal
to protect mobile users against popular web application attacks.
In this paper, we perform the first study of the support of popular
web-application security mechanisms (such as the Content-Security
Policy, HTTP Strict Transport Security, and Referrer Policy) across
mobile browsers. We design 395 individual tests covering 8
different security mechanisms, and utilize them to evaluate the
security-mechanism support in the 20 most popular browser families on
Android. Moreover, by collecting and testing browser versions from the
last seven years, we evaluate a total of 351 unique browser versions
against the aforementioned tests, collecting more than 138K test
results.

By analyzing these results, we find that, although mobile browsers
generally support more security mechanisms over time, not all browsers
evolve in the same way. We discover popular browsers, with millions
of downloads, which do not support the majority of the tested
mechanisms, and identify design choices, followed by the majority of
browsers, which leave hundreds of popular websites open to
clickjacking attacks. Moreover, we discover the presence of multi-year
vulnerability windows between the time when popular websites start
utilizing a security mechanism and when mobile browsers enforce it.
Our findings highlight the need for continuous security testing of
mobile web browsers, as well as server-side frameworks which can adapt
to the level of security that each browser can guarantee.

View More Papers

ML-Leaks: Model and Data Independent Membership Inference Attacks and...

Ahmed Salem (CISPA Helmholtz Center for Information Security), Yang Zhang (CISPA Helmholtz Center for Information Security), Mathias Humbert (Swiss Data Science Center, ETH Zurich/EPFL), Pascal Berrang (CISPA Helmholtz Center for Information Security), Mario Fritz (CISPA Helmholtz Center for Information Security), Michael Backes (CISPA Helmholtz Center for Information Security)

Read More

Master of Web Puppets: Abusing Web Browsers for Persistent...

Panagiotis Papadopoulos (FORTH-ICS, Greece), Panagiotis Ilia (FORTH-ICS), Michalis Polychronakis (Stony Brook University, USA), Evangelos P. Markatos (FORTH-ICS, Greece), Sotiris Ioannidis (FORTH-ICS, Greece), Giorgos Vasiliadis (FORTH-ICS, Greece)

Read More

JavaScript Template Attacks: Automatically Inferring Host Information for Targeted...

Michael Schwarz (Graz University of Technology), Florian Lackner (Graz University of Technology), Daniel Gruss (Graz University of Technology)

Read More

Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks

Michael Rodler (University of Duisburg-Essen), Wenting Li (NEC Laboratories, Germany), Ghassan O. Karame (NEC Laboratories, Germany), Lucas Davi (University of Duisburg-Essen)

Read More