iPhone anti-phishing described as "ineffective"

By

Fraud warning option 'doesn't work'.

Anti-phishing protection on the Apple iPhone OS 3.0 has been criticised for being ineffective.

Michael Sutton, VP of security research at Zscaler, claimed that while functionality such as phishing and malicious URL black lists are now commonplace in mobile web browsers, their mobile counterparts have virtually no security controls whatsoever.

Following the launch of iPhone OS 3.1, and previously being encouraged by the prior version, there is now a security section with a fraud warning option. By selecting this option, which is on by default, you will be ‘warn[ed] when visiting fraudulent websites'.

However, Sutton claimed that while this sounds great, the problem is that it does not work. He said: “Apple's Safari web browser leverages Google's SafeBrowsing initiative to block both malicious URLs and phishing sites. Not so for mobile Safari on the iPhone. Apple has only chosen to only target phishing sites on the iPhone.

“While Apple would likely argue that malicious content on websites target browser specific vulnerabilities, that is not much of an argument. Attacks that I refer to as naked browser attacks such as cross-site scripting, cross-site request forgery and clickjacking don't discriminate - they impact all browsers equally.

“Moreover, past Apple vulnerabilities suggest that there is no shortage of code sharing between the iPhone OS and OS X. After all, the initial iPhone jailbreaks leveraged a known vulnerable TIFF rendering library. Beyond this, the phishing protection on the iPhone is ineffective.”

He later claimed that having tested a variety of online/validated phishing sites that were identified by PhishTank: they were generally blocked by Safari but none were blocked by Safari Mobile.

“In fact, I have yet to identify a single phishing page blocked on the iPhone. What's clear here is that the functionality for the iPhone is not equivalent to what is being employed by OS X. Why? Apple touts Mobile Safari as the killer app that finally makes surfing the web on a mobile device a realistic proposition and the numbers back up that claim. Surely I can be phished on the iPhone just as I can fall victim browsing the web on my laptop,” said Sutton.

See original article on scmagazineus.com


Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
antiphishingappleiphonemobileosprotectionsecuritysmartphonezscaler

Sponsored Whitepapers

Gain an independent witness with body-worn cameras
Gain an independent witness with body-worn cameras
Gain an independent witness with body-worn cameras
Gain an independent witness with body-worn cameras
Trust Imperative 4.0
Trust Imperative 4.0
Centralized Remote Connectivity for State & Local Government
Centralized Remote Connectivity for State & Local Government
Global Employee Experience Trends Report
Global Employee Experience Trends Report

Events

Most Read Articles

Macquarie Uni to spend up to $700m on 10-year digital transformation

Macquarie Uni to spend up to $700m on 10-year digital transformation
Nissan A/NZ's outsourced cyber incident call centre breached

Nissan A/NZ's outsourced cyber incident call centre breached
Digital ID bill passes parliament

Digital ID bill passes parliament
Macquarie's banking CISO headed to Endeavour Group

Macquarie's banking CISO headed to Endeavour Group

Digital Nation

COVER STORY: What AI regulation might look like in Australia
COVER STORY: What AI regulation might look like in Australia
State of Security 2023
State of Security 2023
Health tech startup Kismet raises $4m in pre-seed funding
Health tech startup Kismet raises $4m in pre-seed funding
More than half of loyalty members concerned about their data
More than half of loyalty members concerned about their data
How eBay uses interaction analytics to improve CX
How eBay uses interaction analytics to improve CX

Log In

  |  Forgot your password?