NDSS 2019 A Longitudinal Analysis of Security-Mechanism Support in Mobile Browsers
SESSION 1A-4 Time Does Not Heal All Wounds: A Longitudinal Analysis of Security-Mechanism Support in Mobile Browsers Recent market share statistics show that mobile device traffic has overtaken that of traditional desktop computers. Users spend an increasing amount of time on their smartphones and tablets, while the web continues to be the platform of choice for delivering new applications to users. In this environment, it is necessary for web applications to utilize all the tools at their disposal to protect mobile users against popular web application attacks. In this paper, we perform the first study of the support of popular web-application security mechanisms (such as the Content-Security Policy, HTTP Strict Transport Security, and Referrer Policy) across mobile browsers. We design 395 individual tests covering 8 different security mechanisms, and utilize them to evaluate the security-mechanism support in the 20 most popular browser families on Android. Moreover, by collecting and testing browser versions from the last seven years, we evaluate a total of 351 unique browser versions against the aforementioned tests, collecting more than 138K test results. By analyzing these results, we find that, although mobile browsers generally support more security mechanisms over time, not all browsers evolve in the same way. We discover popular browsers, with millions of downloads, which do not support the majority of the tested mechanisms, and identify design choices, followed by the majority of browsers, which leave hundreds of popular websites open to clickjacking attacks. Moreover, we discover the presence of multi-year vulnerability windows between the time when popular websites start utilizing a security mechanism and when mobile browsers enforce it. Our findings highlight the need for continuous security testing of mobile web browsers, as well as server-side frameworks which can adapt to the level of security that each browser can guarantee. PAPER https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_01A-4_Luo_paper.pdf SLIDES https://www.ndss-symposium.org/wp-content/uploads/ndss2019_01A-4_Luo_slides.pdf AUTHORS Meng Luo (Stony Brook University) Pierre Laperdrix (Stony Brook University) Nima Honarmand (Stony Brook University) Nick Nikiforakis (Stony Brook University) Network and Distributed System Security (NDSS) Symposium 2019, 24-27 February 2019, Catamaran Resort Hotel & Spa in San Diego, California. https://www.ndss-symposium.org/ndss-program/ndss-symposium-2019-program/ ABOUT NDSS The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies. https://www.ndss-symposium.org/ #NDSS #NDSS19 #NDSS2019 #InternetSecurity
SESSION 1A-4 Time Does Not Heal All Wounds: A Longitudinal Analysis of Security-Mechanism Support in Mobile Browsers Recent market share statistics show that mobile device traffic has overtaken that of traditional desktop computers. Users spend an increasing amount of time on their smartphones and tablets, while the web continues to be the platform of choice for delivering new applications to users. In this environment, it is necessary for web applications to utilize all the tools at their disposal to protect mobile users against popular web application attacks. In this paper, we perform the first study of the support of popular web-application security mechanisms (such as the Content-Security Policy, HTTP Strict Transport Security, and Referrer Policy) across mobile browsers. We design 395 individual tests covering 8 different security mechanisms, and utilize them to evaluate the security-mechanism support in the 20 most popular browser families on Android. Moreover, by collecting and testing browser versions from the last seven years, we evaluate a total of 351 unique browser versions against the aforementioned tests, collecting more than 138K test results. By analyzing these results, we find that, although mobile browsers generally support more security mechanisms over time, not all browsers evolve in the same way. We discover popular browsers, with millions of downloads, which do not support the majority of the tested mechanisms, and identify design choices, followed by the majority of browsers, which leave hundreds of popular websites open to clickjacking attacks. Moreover, we discover the presence of multi-year vulnerability windows between the time when popular websites start utilizing a security mechanism and when mobile browsers enforce it. Our findings highlight the need for continuous security testing of mobile web browsers, as well as server-side frameworks which can adapt to the level of security that each browser can guarantee. PAPER https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_01A-4_Luo_paper.pdf SLIDES https://www.ndss-symposium.org/wp-content/uploads/ndss2019_01A-4_Luo_slides.pdf AUTHORS Meng Luo (Stony Brook University) Pierre Laperdrix (Stony Brook University) Nima Honarmand (Stony Brook University) Nick Nikiforakis (Stony Brook University) Network and Distributed System Security (NDSS) Symposium 2019, 24-27 February 2019, Catamaran Resort Hotel & Spa in San Diego, California. https://www.ndss-symposium.org/ndss-program/ndss-symposium-2019-program/ ABOUT NDSS The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies. https://www.ndss-symposium.org/ #NDSS #NDSS19 #NDSS2019 #InternetSecurity