Apple's iOS is vulnerable to web attacks that allow malicious websites to masquerade as trusted pages maintained by banks, stores, and other sensitive organizations, a researcher said on Monday. The weakness stems from the ability of web developers to display pages on iPhones that push the address bar out of view, researcher …
Sounds like a no-win to me.
You NEED to be able to withdraw the address bar because of the iPhone's limited viewing size; otherwise, there's so little space as to be impractical (the iPad tags along because of the common OS).
So how do you PROVE a site is authentic in an environment where the OS has to hide itself out of necessity? And you can't rely on outside contact because people may not have access to it (or it costs them money each time, in the case of many SMS). And furthermore, how can you produce a security element that miscreants can't eventually replicate on their malware sites (as seen here)?
PS. And alternative browsers are no safe haven, either. Since Browser ID is a trivial thing to pick up, the malware can be tuned to whatever ID tag is presented and present whatever false facade, indicator icons, etc. are needed.
So, we can either all be forced to squeeze our content into the 10pixel high space that remains after we're forced to have a thousand and one checks, warnings and alerts showing in our browsers...
... or people could just follow the simple advice that has been repeated millions of times over the past several years and not follow links from emails (or facebook, or twitter, or anywhere else) to get to your bank's website!
Frankly, if people are going to click on the emails which say "update your bank login details by clicking this link", they're unlikely to be the kind of person who takes any notice of what the address bar says.
Not safe, either.
Perfectly legitimate sites, even banks and even ones where you type in the URL, can be hit with drive-bys. Could make things hard for banks with no brick & mortar presence where you live.
The address bar on Android gets pushed off the top of the screen automatically on a lot of sites.
Android is like the Pope, Andrones are the good catholics. We all know Android is infallible.
On this "exploit", there are not many options other than ensuring that the bar is always visible, which would be irritating. Lets be honest many people take no notice when they follow in a normal browser where there are lots of warnings. Social engineering is easier than hacking the device and this is an example of what is already out there.
Re: Android too?
In my experience it doesn't (at least on an HTC Desire) - you have to scroll down manually before the address bar is scrolled off the top of the screen.
two more similar vulnerabilities...
and androgiuns will rejoice!
...what about Mini?
Current implementation is a bit ropy
I suppose it's technically possible to test (on a phone), to check if the image at the top of the webpage is similar to the browser chrome, seems it would be easier to just allow users to customise the chrome by changing the colour cast or adding a unique motif though.
Aye: A relatively easy problem to solve from a UI Perspective
The page would have to load pretty fast not to see the main safari chrome AND the Phishers implementation.
On Iphone 4/Ipod Touch it would be quite obvious: Web graphics look terrible on a 360dpi screen!
However I think that the solution here is more feedback to the user of the url, some kind of subtle transparent slide in bar that shows the url, until the user interacts with the screen would help.
it would spoil the imemersed experience that Iphone web apps designers have gone for but it would work.
Could the banks possibly do this on the server side using ajax/something else?
Im not security or dev guy but can see how this can be solved in numerous ways from an interaction design/Ui viewpoint.
Rather that a fixed image, make the fake address bar and Google search form fields. If anything is entered, redirect the user to that site. Since it behaves normally, people will be even less likely to notice that it's not real.
Who follows links in emails?
If you follow links sent to you in email you're probably going to get suckered.
If people write scripts to flood the fake sites with false information then the phishers will have way too much information to get through, it may even crash their system when the disk gets full.
Wouldn't work on my iPhone...
...because I use Bing rather than Google as the search engine. So even if I was too stupid not to notice that the page was behaving differently in terms of the URL bar, the fact it showed "Google" in teh search box would be a dead giveaway.
Yet another good reason not to use Google, albeit an unexpected one :-)
"Dhanjani said he alerted members of Apple's security team to the threat and they indicated they weren't likely to make changes anytime soon"
"Dhanjani said he alerted members of Apple's security team to the threat , who in turn spoke to the PR department. they they indicated they weren't likely to make changes anytime soon as Apple do not make vulnerable devices and it may spoil the public image."
...I call Bears in woods defecation on that one.
If you're stupid enough to respond to these emails/websites, even after they're so well publicised, you need your internet access taken away from you.
It's been said a million times - it's almost impossible to secure a system, when the weakest point is the human *actively choosing* to compromise their machine.
There's an App for that
Have the banks release an app that on an un-jailbroken phone will open a dedicated custom browser session to the bank website (not redirect to Safari etc).
Then have a disclaimer saying. If you are using an iOS device to access this site then please use our <appstore_link>app</appstore_link> to use online banking.
That and some common sense.... job done.
Further to my previous post...
Apple could amend the safari browser to display the padlock symbol in the status bar at the top (next to battery symbol for example).
then they can just use httpS://phisherbank.com/, thereby showing the padlock symbol, combined with the fake address bar... wouldn't really help?
It's obvious really
I got a phone call yesterday purporting to be from my energy supplier, quite likely genuine but no way of telling. They wanted my gas and electricity meter readings over the phone. I told them no, I would do it through the website. It was also strange because they usually email me to ask for readings and are good at not putting links in their emails, they just tell you to go the website.
Considering the tactics of other suppliers who knock on my door it could well have been a sales call from another company.
Your energy company emails you (or calls you in this case) to read the meter for them? Lazy bastards - tell them to come and look for themselves (or lie).
There are tariffs in the UK where the consumer pays less if they agree to read their own meters.
yes, much cheaper to read your own meter
it's 10KWh more than last time... yes i know the last reading was 6 months ago... i switched to energy efficient light bulbs and servers ;)
"they weren't likely to make changes anytime soon"
That's because their guru is out in the perfumed garden with his head in the sandbox pretending the world is perfect.
And they think fruit machines are secure enough for business? Bush, the saviour of Iraq, uses fruit products, which should be warning enough.
How about having the address bar be partially hidden and slide out when you click/drag it? Maybe just 5-10px showing?
That way it doesn't disappear completely when you scroll and can't be replaced in the same manner as this case. I guess maybe a click/drag event handler in the top few px could catch any 'near misses' if your aim isn't too good, but then you would still have this bar at the top of the screen that would be realtively obvious to all but those who are having a careless moment or are in a rush etc.