TY - GEN
T1 - Hindsight
T2 - 24th ACM SIGSAC Conference on Computer and Communications Security, CCS 2017
AU - Luo, Meng
AU - Starov, Oleksii
AU - Honarmand, Nima
AU - Nikiforakis, Nick
N1 - Publisher Copyright:
© 2017 author(s).
PY - 2017/10/30
Y1 - 2017/10/30
N2 - Much of recent research on mobile security has focused on malicious applications. Although mobile devices have powerful browsers that are commonly used by users and are vulnerable to at least as many attacks as their desktop counterparts, mobile web security has not received the attention that it deserves from the community. In particular, there is no longitudinal study that investigates the evolution of mobile browser vulnerabilities over the diverse set of browsers that are available out there. In this paper, we undertake the. rst such study, focusing on UI vulnerabilities among mobile browsers. We investigate and quantify vulnerabilities to 27 UI-related attacks-compiled from previous work and augmented with new variations of our own-across 128 browser families and 2,324 individual browser versions spanning a period of more than 5 years. In the process, we collect an extensive dataset of browser versions, old and new, from multiple sources. We also design and implement a browser-agnostic testing framework, called Hindsight, to automatically expose browsers to attacks and evaluate their vulnerabilities. We use Hindsight to conduct the tens of thousands of individual attacks that were needed for this study. We discover that 98.6% of the tested browsers are vulnerable to at least one of our attacks and that the average mobile web browser is becoming less secure with each passing year. Overall, our. ndings support the conclusion that mobile web security has been ignored by the community and must receive more attention.
AB - Much of recent research on mobile security has focused on malicious applications. Although mobile devices have powerful browsers that are commonly used by users and are vulnerable to at least as many attacks as their desktop counterparts, mobile web security has not received the attention that it deserves from the community. In particular, there is no longitudinal study that investigates the evolution of mobile browser vulnerabilities over the diverse set of browsers that are available out there. In this paper, we undertake the. rst such study, focusing on UI vulnerabilities among mobile browsers. We investigate and quantify vulnerabilities to 27 UI-related attacks-compiled from previous work and augmented with new variations of our own-across 128 browser families and 2,324 individual browser versions spanning a period of more than 5 years. In the process, we collect an extensive dataset of browser versions, old and new, from multiple sources. We also design and implement a browser-agnostic testing framework, called Hindsight, to automatically expose browsers to attacks and evaluate their vulnerabilities. We use Hindsight to conduct the tens of thousands of individual attacks that were needed for this study. We discover that 98.6% of the tested browsers are vulnerable to at least one of our attacks and that the average mobile web browser is becoming less secure with each passing year. Overall, our. ndings support the conclusion that mobile web security has been ignored by the community and must receive more attention.
KW - Hindsight
KW - Mobile Browser Security
KW - Phishing Attacks
KW - User Interface
KW - Vulnerability Testing
UR - https://www.scopus.com/pages/publications/85041431061
U2 - 10.1145/3133956.3133987
DO - 10.1145/3133956.3133987
M3 - Conference contribution
AN - SCOPUS:85041431061
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 149
EP - 162
BT - CCS 2017 - Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security
PB - Association for Computing Machinery
Y2 - 30 October 2017 through 3 November 2017
ER -