Abstract
Modern mobile devices come with first class web browsers that rival their desktop counterparts in power and popularity. However, recent publications point out that mobile browsers are particularly susceptible to attacks on web authentication, such as phishing or clickjacking. We analyze those attacks and find that existing countermeasures from desktop computers can not be easily transfered to the mobile world. The attacks’ root cause is a missing trusted UI for security critical requests. Based on this result, we provide our approach, the MobileAuthenticator, that establishes a trusted path to the web application and reliably prohibits the described attacks. With this approach, the user only needs one tool to protect any number of mobile web application accounts. Based on the implementation as an app for iOS and Android respectively, we evaluate the approach and show that the underlying interaction scheme easily integrates into legacy web applications.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Amrutkar, C., Traynor, P., van Oorschot, P.C.: Measuring SSL Indicators on Mobile Browsers: Extended Life, or End of the Road? In: Gollmann, D., Freiling, F.C. (eds.) ISC 2012. LNCS, vol. 7483, pp. 86–103. Springer, Heidelberg (2012)
Felt, A., Wagner, D.: Phishing on Mobile Devices. In: W2SP (2011)
Luo, T., Jin, X., Ananthanarayanan, A., Du, W.: Touchjacking attacks on web in android, iOS, and windows phone. In: Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Miri, A., Tawbi, N. (eds.) FPS 2012. LNCS, vol. 7743, pp. 227–243. Springer, Heidelberg (2013)
Rydstedt, G., Gourdin, B., Bursztein, E., Boneh, D.: Framing Attacks on Smart Phones and Dumb Routers: Tap-jacking and Geo-localization Attacks. In: wOOt (2010)
Niu, Y., Hsu, F., Chen, H.: iPhish: Phishing Vulnerabilities on Consumer Electronics. In: UPSEC (2008)
De Ryck, P., Desmet, L., Heyman, T., Piessens, F., Joosen, W.: CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 18–34. Springer, Heidelberg (2010)
Bursztein, E., Soman, C., Boneh, D., Mitchell, J.C.: SessionJuggler: Secure Web Login from an Untrusted Terminal Using Session Hijacking. In: WWW (2012)
Felt, A., Egelman, S., Finifter, M., Akhawe, D., Wagner, D.: How to Ask for Permission. In: HotSec (2012)
Chou, N., Ledesma, R., Teraguchi, Y., Boneh, D., Mitchell, J.C.: Client-side Defense against Web-Based Identity Theft. In: NDSS 2004 (2004)
Dhamija, R., Tygar, J.: The Battle Against Phishing: Dynamic Security Skins. In: SOUPS (2005)
Balfanz, D., Smetters, D., Upadhyay, M., Barth, A.: TLS Origin-Bound Certificates. IETF Draft, http://tools.ietf.org/html/draft-balfanz-tls-obc-01
Huang, L.S., Moshchuk, A., Wang, H.J., Schechter, S., Jackson, C.: Clickjacking: Attacks and Defenses. In: 21st USENIX Security Symposium (2012)
Jovanovic, N., Kruegel, C., Kirda, E.: Preventing cross site request forgery attacks. In: Securecomm (2006)
Sterne, B., Barth, A.: Content Security Policy. W3C Working Draft (2012), http://www.w3.org/TR/2011/WD-CSP-20111129/ (November 2012)
Johns, M., Braun, B., Schrank, M., Posegga, J.: Reliable Protection Against Session Fixation Attacks. In: ACM SAC (2011)
Mozilla: Persona, https://developer.mozilla.org/en-US/docs/Mozilla/Persona (November 19, 2013)
Lockhart, H., Campbell, B.: SAML V2.0, https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf (March 2008)
Internet2: Shibboleth, http://shibboleth.net/
Tong, T., Evans, D.: GuarDroid: A Trusted Path for Password Entry. In: Mobile Security Technologies, MoST 2013 (2013)
Braun, B., Kucher, S., Johns, M., Posegga, J.: A User-Level Authentication Scheme to Mitigate Web Session-Based Vulnerabilities. In: Fischer-Hübner, S., Katsikas, S., Quirchmayr, G. (eds.) TrustBus 2012. LNCS, vol. 7449, pp. 17–29. Springer, Heidelberg (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 IFIP International Federation for Information Processing
About this paper
Cite this paper
Braun, B., Koestler, J., Posegga, J., Johns, M. (2014). A Trusted UI for the Mobile Web. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds) ICT Systems Security and Privacy Protection. SEC 2014. IFIP Advances in Information and Communication Technology, vol 428. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-55415-5_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-55415-5_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-55414-8
Online ISBN: 978-3-642-55415-5
eBook Packages: Computer ScienceComputer Science (R0)