Recent years have seen a steady increase in the sales of mobile devices as more and more users purchase smartphones and tablets to supplement their computing needs. The smartphones' cleaner UIs in combination with an ever increasing number of apps and constantly decreasing prices, are attracting more and more users who entrust their devices with sensitive data, such as personal photographs, work emails, and financial information. To browse the web from these devices, users can choose between hundreds of competing mobile browsers, each advertising its own unique set of features. In this talk, we will discuss the idiosyncrasies of these mobile web browsers and show that they are vulnerable to attacks that were never an issue on traditional desktop browsers. We will first present the results of analyzing over 2,000 versions of mobile browsers, spanning five years and 128 browser families, and show that mobile browsers are becoming more vulnerable to certain classes of attacks with each passing year. We will then focus on the ability of mobile browsers to enforce standard security mechanisms, such as, the HTTP Strict Transport Security mechanism and Content-Security Policy. We will show that mobile browsers lag behind desktop browsers in their support of these mechanisms, resulting in users being less secure when they browse a given website over a mobile browser, as opposed to a desktop browser. Lastly, we will explore the workings of data-savings mobile browsers and how their unique design can open up users to attacks.
Dr. Nick Nikiforakis (PhD'13) is an Associate Professor in the Department of Computer Science at Stony Brook University. He leads the PragSec Lab, where his students conduct research in cyber security, with a focus on web security, web privacy, DNS security, attack-surface reduction, and deception-based security. He is the author of more than 70 peer-reviewed academic publications and his work is cited over 4,500 times. He is the recipient of the National Science Foundation CAREER award (2020), the Office of Naval Research Young Investigator Award (2020), as well as a range of other security and privacy-related awards from federal funding agencies and large Internet companies.