September 10th, 2009
iPhone's anti-phishing protection offers inconsistent results
Apple’s iPhone OS 3.1 update includes a new fraud warning feature which is at least theoretically, supposed to warn users when visiting fraudulent websites in Safari Mobile.
However, due to a flawed implementation in the update mechanism, the feature — enabled by default — is offering inconsistent results based on the tests performed by security company Intego, and security researcher Michael Sutton from Zscaler, whose posts basically state that “it simply doesn’t work“.
Here’s how they tested the feature:
The tests were conducted by pulling data of valid phishing sites from the Phishtank, and attempting to visit these sites in Safari and Safari Mobile, which resulted in their successful detection in Safari, but didn’t trigger a warning when visiting the same sites on the iPhone’s Safari Mobile.
- Go through related posts: Snow Leopard’s malware protection only scans for two Trojans; Snow Leopard ships with vulnerable Flash Player
The cause for these inconsistent results appears to be a flawed update mechanism, lacking any transparent way of communicating when was the last time an update took place, as well as a built-in “valid time” interval indicating that an outdated anti-phishing database is in use.
A few minutes ago, Intego posted an update to the original post in regard to the varying results:
We’ve had a number of people test this, and some people get warnings for sites that others can load just fine. We’ve tried isolating locations, iPhone/iPod touch models, and whether they are connecting over a cell network or via wifi, but all we’ve come up with is that sometimes it works and sometimes it doesn’t. This is clearly more dangerous than no protection at all, because if users think they are protected, they are less careful about which links they click.
The company makes a good point, however, there are several more issues to consider. For instance, in comparison to Safari Mobile’s fraud warning feature and its lack of transparency into the update mechanism, a commercial iPhone app called Site Check is utilizing the SafeBrowsing API in between offering a transparent way of knowing the last time a database update took place, with the option to manually pull one at any particular moment in time. This very same practice should also be implemented in the fraud warning feature.
Moreover, an assessment of the fraud warning feature at Macworld, points out that compared to Google Classic run on Safari Mobile, Google Mobile isn’t showing potentially harmful and fraudulent web sites, once again leaving users with the impression that they’re surfing the web and clicking on links under the umbrella of the SafeBrowsing initiative.
Transparent processes and customerization always translate into improved customer satisfaction, in this particular case, improved security as well.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
