Meddling Middlemen: Empirical Analysis of the Risks of Data-Saving Mobile Browsers

Brian Kondracki, Assel Aliyeva, Manuel Egele, Jason Polakis, Nick Nikiforakis
{"title":"Meddling Middlemen: Empirical Analysis of the Risks of Data-Saving Mobile Browsers","authors":"Brian Kondracki, Assel Aliyeva, Manuel Egele, Jason Polakis, Nick Nikiforakis","doi":"10.1109/SP40000.2020.00077","DOIUrl":null,"url":null,"abstract":"Mobile browsers have become one of the main mediators of our online activities. However, as web pages continue to increase in size and streaming media on-the-go has become commonplace, mobile data plan constraints remain a significant concern for users. As a result, data-saving features can be a differentiating factor when selecting a mobile browser. In this paper, we present a comprehensive exploration of the security and privacy threat that data-saving functionality presents to users. We conduct the first analysis of Android’s data-saving browser (DSB) ecosystem across multiple dimensions, including the characteristics of the various browsers’ infrastructure, their application and protocol-level behavior, and their effect on users’ browsing experience. Our research unequivocally demonstrates that enabling data-saving functionality in major browsers results in significant degradation of the user’s security posture by introducing severe vulnerabilities that are not otherwise present in the browser during normal operation. In summary, our experiments show that enabling data savings exposes users to (i) proxy servers running outdated software, (ii) man-in-the-middle attacks due to problematic validation of TLS certificates, (iii) weakened TLS cipher suite selection, (iv) lack of support of security headers like HSTS, and (v) a higher likelihood of being labelled as bots. While the discovered issues can be addressed, we argue that data-saving functionality presents inherent risks in an increasingly-encrypted Web, and users should be alerted of the critical savings-vs-security trade-off that they implicitly accept every time they enable such functionality.","PeriodicalId":6849,"journal":{"name":"2020 IEEE Symposium on Security and Privacy (SP)","volume":"15 1","pages":"810-824"},"PeriodicalIF":0.0000,"publicationDate":"2020-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"12","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP40000.2020.00077","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 12

Abstract

Mobile browsers have become one of the main mediators of our online activities. However, as web pages continue to increase in size and streaming media on-the-go has become commonplace, mobile data plan constraints remain a significant concern for users. As a result, data-saving features can be a differentiating factor when selecting a mobile browser. In this paper, we present a comprehensive exploration of the security and privacy threat that data-saving functionality presents to users. We conduct the first analysis of Android’s data-saving browser (DSB) ecosystem across multiple dimensions, including the characteristics of the various browsers’ infrastructure, their application and protocol-level behavior, and their effect on users’ browsing experience. Our research unequivocally demonstrates that enabling data-saving functionality in major browsers results in significant degradation of the user’s security posture by introducing severe vulnerabilities that are not otherwise present in the browser during normal operation. In summary, our experiments show that enabling data savings exposes users to (i) proxy servers running outdated software, (ii) man-in-the-middle attacks due to problematic validation of TLS certificates, (iii) weakened TLS cipher suite selection, (iv) lack of support of security headers like HSTS, and (v) a higher likelihood of being labelled as bots. While the discovered issues can be addressed, we argue that data-saving functionality presents inherent risks in an increasingly-encrypted Web, and users should be alerted of the critical savings-vs-security trade-off that they implicitly accept every time they enable such functionality.
干预中间商:节省数据的移动浏览器风险的实证分析
移动浏览器已经成为我们在线活动的主要媒介之一。然而,随着网页规模的不断扩大和流动媒体的普及,移动数据计划的限制仍然是用户关注的重要问题。因此,在选择移动浏览器时,数据保存功能可能是一个区分因素。在本文中,我们全面探讨了数据保存功能给用户带来的安全和隐私威胁。我们从多个维度对Android的数据保存浏览器(DSB)生态系统进行了首次分析,包括各种浏览器的基础设施特征、应用程序和协议级行为,以及它们对用户浏览体验的影响。我们的研究明确表明,在主流浏览器中启用数据保存功能会导致用户的安全状况显著下降,因为它会引入浏览器在正常操作期间不会出现的严重漏洞。总之,我们的实验表明,启用数据保存会使用户暴露于(i)运行过时软件的代理服务器,(ii)由于TLS证书验证有问题而导致的中间人攻击,(iii)削弱TLS密码套件选择,(iv)缺乏对HSTS等安全标头的支持,以及(v)被标记为机器人的可能性更高。虽然发现的问题可以解决,但我们认为数据保存功能在日益加密的Web中存在固有的风险,并且应该提醒用户注意每次启用此类功能时他们隐含地接受的关键的节省与安全权衡。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信