Small and different: security and privacy risks of mobile browsers
CS Seminar: Nick Nikiforakis
December 18, 2019
1:30 PM - 3:00 PM
Small and different: security and privacy risks of mobile browsers
Presenter: Nick Nikiforakis, Stony Brook University
Abstract: Recent years have seen a steady increase in the sales of mobile devices as more and more users purchase smartphones and tablets to supplement their computing needs. The smartphones' cleaner UIs, in combination with an ever increasing number of apps and constantly decreasing prices, are attracting more and more users who entrust their devices with sensitive data, such as personal photographs, work emails, and financial information. To browse the web from these devices, users can choose between hundreds of competing mobile browsers, each advertising its own unique set of features.
In this talk, learn about the idiosyncrasies of these mobile web browsers and their vulnerability to attacks that were never an issue on traditional desktop browsers. The results of analyzing over 2,000 versions of mobile browsers will be presented, spanning five years and 128 browser families, demonstrating that mobile browsers are becoming more vulnerable to certain classes of attacks with each passing year. The ability of mobile browsers to enforce standard security mechanisms, such as the HTTP Strict Transport Security mechanism and Content-Security Policy, will also be examined. Mobile browsers lag behind desktop browsers in their support of these mechanisms, resulting in users being less secure when they browse a given website over a mobile browser, as opposed to a desktop browser. Design decisions which leave hundreds of websites vulnerable to clickjacking attacks and complicate the life of developers who need to decide how to best secure their web applications, in the face of browsers with varying levels of security-mechanism support, will be discussed.
Speaker bio: Nick Nikiforakis is an assistant professor in the Department of Computer Science at Stony Brook University. He is the director of the PragSec lab, where students conduct research in all aspects of pragmatic security and privacy including web tracking, mobile security, DNS abuse, social engineering, and cybercrime. He has authored more than 60 academic papers, many of which have appeared in the most selective computer security and privacy conferences. For his work he has received a best paper award from ISC 2014, an Honorable Mention Award from PETS 2016, and a Distinguished Paper Award from NDSS 2017. His research is supported by the National Science Foundation and the Office of Naval Research, while he regularly serves in the program committees of all top-tier security conferences.
Faculty host: Jason Polakis
Date posted
Dec 12, 2019
Date updated
Dec 12, 2019