Mobile browsers fail to meet W3C security standards

Every one of the 10 major mobile browsers fails to meet security guidelines recommended by the World Wide Web Consortium (W3C) for browser safety, according to a study from the Georgia Institute of Technology in America.

The Georgia Tech researchers examined how well browsers use SSL and TLS visual indicators, which signal to the user if a particular website is encrypting data that the user is sending.

According to Georgia Tech, these markers also indicate that the website appearing on their browser is actually the site they intended to visit.

Examples include the common padlock icon that appears in desktop browsers when users visit banking websites, and the appearance of “https://” instead of the more common “http://” at the beginning of a URL in the browser’s address bar.

In its recommendations, the W3C says, among other things, that: “User agents MUST make information about the state of TLS protection available. The [TLS indicator] SHOULD be part of primary user interface during usage modes which entail the presence of signaling to the user beyond only presenting page content. Otherwise, it MUST be available through secondary user interface.”

The researchers found that in mobile browsers, these guidelines are “followed inconsistently at best and often not at all”.

These results were published in the researchers’ paper, ‘Measuring SSL Indicators on Mobile Browsers: Extended Life, or End of the Road’.

Patrick Traynor, assistant professor at Georgia Tech’s School of Computer Science and co-author of the report, said, “We found vulnerabilities in all 10 of the mobile browsers we tested, which together account for more than 90% of the mobile browsers in use today in the United States.”

These vulnerabilities mean that users have no way to determine if the websites they’re visiting are legitimate, or if they are scam sites phishing for users’ personal information.

Chaitrali Amrutkar, a PhD student at Georgia Tech’s School of Computer Science, and the principal author of the paper, said, “Research has shown that mobile browser users are three times more likely to access phishing sites than users of desktop browsers.”

Amrutkar said that it’s unlikely this difference is solely due to the lack of SSL indicators, but that “giving these tools a consistent and complete presence in mobile browsers would definitely help”.

Traynor said the lack of adequate SSL/TLS information in mobile web browsers is likely due to the lack of space available on mobile device screens, but that “with a little coordination, we can do a better job and make mobile browsing a safer experience for all users”.

Image credit ©iStockphoto.com/Onur Döngel