Meng Luo (Stony Brook University), Pierre Laperdrix (Stony Brook University), Nima Honarmand (Stony Brook University), Nick Nikiforakis (Stony Brook University)

Recent market share statistics show that mobile device traffic has overtaken
that of traditional desktop computers. Users spend an increasing amount of time
on their smartphones and tablets, while the web continues to be the platform
of choice for delivering new applications to users. In this environment, it
is necessary for web applications to utilize all the tools at their disposal
to protect mobile users against popular web application attacks.
In this paper, we perform the first study of the support of popular
web-application security mechanisms (such as the Content-Security
Policy, HTTP Strict Transport Security, and Referrer Policy) across
mobile browsers. We design 395 individual tests covering 8
different security mechanisms, and utilize them to evaluate the
security-mechanism support in the 20 most popular browser families on
Android. Moreover, by collecting and testing browser versions from the
last seven years, we evaluate a total of 351 unique browser versions
against the aforementioned tests, collecting more than 138K test

By analyzing these results, we find that, although mobile browsers
generally support more security mechanisms over time, not all browsers
evolve in the same way. We discover popular browsers, with millions
of downloads, which do not support the majority of the tested
mechanisms, and identify design choices, followed by the majority of
browsers, which leave hundreds of popular websites open to
clickjacking attacks. Moreover, we discover the presence of multi-year
vulnerability windows between the time when popular websites start
utilizing a security mechanism and when mobile browsers enforce it.
Our findings highlight the need for continuous security testing of
mobile web browsers, as well as server-side frameworks which can adapt
to the level of security that each browser can guarantee.

View More Papers

Fine-Grained and Controlled Rewriting in Blockchains: Chameleon-Hashing Gone Attribute-Based

David Derler (DFINITY), Kai Samelin (TÜV Rheinland i-sec GmbH), Daniel Slamanig (AIT Austrian Institute of Technology), Christoph Striecks (AIT Austrian...

Read More

ICSREF: A Framework for Automated Reverse Engineering of Industrial...

Anastasis Keliris (NYU), Michail Maniatakos (NYU Abu Dhabi)

Read More

Thunderclap: Exploring Vulnerabilities in Operating System IOMMU Protection via...

A. Theodore Markettos (University of Cambridge), Colin Rothwell (University of Cambridge), Brett F. Gutstein (Rice University), Allison Pearce (University of...

Read More

Oligo-Snoop: A Non-Invasive Side Channel Attack Against DNA Synthesis...

Sina Faezi (University of California, Irvine), Sujit Rokka Chhetri (University of California, Irvine), Arnav Vaibhav Malawade (University of California, Irvine),...

Read More