The issue of mobile security has IT professionals reconsidering the weaknesses inherent in Web browsers.
Browsers in mobile devices are inherently less secure than their laptop or full-size PC brethren because they are smaller and depend on other technologies to help secure the Web application. This makes the security issues common to all browsers stand out even more -- and puts the different approaches to protecting browsers under closer scrutiny.
Chrome, for example, has a sophisticated sandbox in which the user can run their browser application. That’s the good news. The bad news: A teenage hacker who goes by the name Pinkie Pie was awarded $60,000 by Google in May for showing how the Chrome sandbox can be defeated. Hopefully, Google will have a fix for that vulnerability soon, but it demonstrates how even modern browsers are susceptible to attack.
Incidentally, Pinkie Pie did it again earlier this month at the Hack in the Box 2012 security conference in Kuala Lumpur. This time, the hacker compromised Chrome’s render process, again taking home a $60,000 prize.
Another approach to securing a corporate browser session (as opposed to a single user with limited IT resources) is to run each session on a virtual server that lives somewhere within a company’s infrastructure, or in the cloud. A company need not virtualize every desktop or mobile device, but simply virtualize the single application. Fully rendered pages, complete with cascading style sheets, JavaScript, HTML, pictures, and database access, can be delivered directly to the user’s device.
The benefit here is that the session runs on a virtual machine, so once the session is over and the VM is turned off, everything, including that user’s immediate history, passwords, and any malware or virus picked up during the session, disappears with the VM. However, let no good deed go unpunished: There is a downside to this approach, and that downside is exemplified by Amazon’s Kindle Fire and the Silk browser.
With the Kindle, Amazon does all of the heavy lifting of the Web browser in the cloud. The cloud provider then sends the results of the page to the tablet in a data stream. It's not unlike how file servers work with dumb terminals -— processing is done remotely and then sent to the device. However, here’s the kink: All of the tablet user’s activity -— every site they visit, how long they look at each page, every click they make, and every activity they take -— becomes Amazon’s property, which can be repacked and monetized by Amazon.
While the data might be anonymized by Amazon in the repackaging, it still exists, and can be traced back to a given device. Your device.
In a letter last year from Rep. Ed Markey (D-MA) to Amazon CEO Jeff Bezos, Markey wrote: "By coupling the Fire with Silk, Amazon can essentially track each and every Web click of its customers. Amazon will know where people shop, what items they buy, when they buy them, and how much they pay." This is a potentially significant breach of the user’s privacy.
Paul Misener, Amazon’s vice president for global public policy, told Markey that secure communications using the Secure Sockets Layer (SSL) go directly from the Fire to the server of the company providing the secure service, such as a bank or PayPal, and do not go through Amazon’s servers. He notes that users’ passwords and log-in information is safe, and not maintained on the Amazon servers. But his reply did not satisfy the concerned Congressman.
“Consumers may buy the new Kindle Fire to read ‘1984,’ but they may not realize that the tablet’s ‘Big Browser’ may be watching their every keystroke when they are online,” Markey said in a statement.
Texas Republican Rep. Joe Barton also expressed concern over the Silk browser’s split design. Barton is a cosponsor to Markey’s Do Not Track Kids Act of 2011 (HR 1895), which is currently in the House Subcommittee on Commerce, Manufacturing, and Trade. No action has been taken on the bill since early this year.
These are concerns that vendors will need to address. Experts agree: Browsers are the number one application on mobile devices. Protecting users’ security should be the browser suppliers’ number one concern.
Related posts:
— Stephen Lawton is a longtime technology journalist and industry pundit.
Email This
