Wednesday, September 9, 2009

Watered Down Phishing Protection in iPhone OS 3.X?

[Update: 09-13-09 @ 5:43pm EST - Looks like we may have finally resolved this. Apple has apparently issued a statement indicating the the anti-phishing filter doesn't take affect until the blacklist is downloaded which only occurs while the phone is charging. According to the statement, users should "launch Safari, connect to a Wi-Fi network and charge their iPhone with the screen off". Certainly a bit odd, but at least the functionality seems to be working after all.]

[Update: 09-11-09 @ 4:27pm EST - It would appear that the wrinkles have largely been ironed out. In a random sample of 50 pages blocked by Safari for OS X, only one was not blocked by Safari for iPhone OS 3.1. So what happened?
1.) Sites not blocked on 09-09-09, were blocked 24 hours later
2.) People have been seeing inconsistent results, whereby the same pages would be blocked by one phone and not another
Based on what we've seen, it seems likely that the issue was not with the blocking feature itself within iPhone OS 3.1, but rather the updates being pushed to iPhones. At the time of the iPhone OS 3.1 deployment, some phones were not receiving updates while others were.]

[Update: 09-10-09 @ 2:39pm EST - Today, we're seeing inconsistent results. Sites that were yesterday confirmed not to be blocked by Mobile Safari (iPhone OS 3.1), despite being block by Safari in OS X, are now being blocked yet others are not. For example, http://kingsofaldora.atspace.com/ is now being blocked (wasn't yesterday) and http://1001porngalleries.com/ is still not being blocked on the iPhone, despite being blocked by Safari for OS X. We'll need to hear from Apple to know for sure but I suspect that the failed blocking is related to phishing updates not being delivered to the iPhone as opposed to as issue with the functionality itself.]

I've complained in the past that mobile browser vendors have not learned from past mistakes. Despite the fact that functionality such as phishing and malicious URL black lists are now common place in mobile web browsers, their mobile counterparts have virtually no security controls whatsoever. I was encouraged when Apple announced anti-phishing protection with the release of iPhone OS 3.0.


iPhone OS 3.0 was released on June 17, 2009 - three months ago. Despite that fact, I don't recall ever having received a phishing block message on the iPhone. Today, Apple released iPhone OS 3.1 and once again specifically called out phishing protection. In fact, within the Safari settings, there is now a Security section with a Fraud Warning option. By selecting this option, which is on by default, you will be "warn[ed] when visiting fraudulent websites". Sounds great. The problem? It doesn't work.

Apple's Safari web browser, leverages Google's SafeBrowsing initiative to block both malicious URLs and phishing sites. Not so for mobile Safari on the iPhone. Apple has only chosen to only target phishing sites on the iPhone. While Apple would likely argue that malicious content on web sites target browser specific vulnerabilities, that's not much of an argument. Attacks that I refer to as naked browser attacks such as cross-site scripting (XSS), cross-site request forgery (CSRF) and Clickjacking don't discriminate - they impact all browsers equally. Moreover, past Apple vulnerabilities suggest that there is no shortage of code sharing between the iPhone OS and OS X. After all, the initial iPhone jailbreaks leveraged a known vulnerable TIFF rendering library.

Beyond this, the phishing protection on the iPhone is ineffective. I've tested a variety of online/validated phishing sites from PhishTank. They were generally blocked by Safari, but none were blocked by Safari Mobile. In fact, I have yet to identify a single phishing page blocked on the iPhone. What's clear here is that the functionality for the iPhone is not equivalent to what is being employed by OS X. Why? Apple touts Mobile Safari as the killer app that finally makes surfing the web on a mobile device a realistic proposition and the numbers back up that claim. Surely I can be phished on the iPhone just as I can fall victim browsing the web on my laptop.

If you identify phishing sites blocked by the iPhone OS 3.1 software, please post the link to the blog comments. If you work for Apple, please comment on why you went with watered down phishing protection on the iPhone.

- michael

4 comments:

Robert Xiao said...

The very first one on the list, www.citibanking.ru, is blocked. Furthermore, clicking the "about" link on the message brings up Google's help page on Suspicious results and strange behavior: Phishing attacks.

Michael Sutton said...

Robert - Thanks for passing that along. I agree that the site is being blocked. Interestingly, sites that I'd yesterday confirmed to be blocked by Safari for OS X, but not by Mobile Safari (e.g. http://friendsterlog.tk/) are now being blocked. The crew at the Mac Security Blog (http://blog.intego.com/) yesterday saw similar behavior with the same site being blocked for some and not for others. One has to wonder if the issue is with Apple servers deploying the blacklists as opposed to the feature itself.

Robert Xiao said...

That could well be the case. It is clear that MobileSafari is using Google SafeBrowsing now, because clicking on the "Report an error" link gives this page (Safari's warning page)

So, I'd say that MobileSafari's phishing protection works just fine from my perspective.

Lambo said...

"...but none *WAS* blocked by Safari Mobile."

(fixed that for ya)