Anti-phishing protection on the Apple iPhone OS 3.0 has been criticised for being ineffective.
Michael Sutton, VP of security research at Zscaler, claimed that while functionality such as phishing and malicious URL black lists are now commonplace in mobile web browsers, their mobile counterparts have virtually no security controls whatsoever.
Following the launch of iPhone OS 3.1, and previously being encouraged by the previous version, there is now a security section with a fraud warning option and by selecting this option, which is on by default, you will be ‘warn[ed] when visiting fraudulent websites'.
However Sutton claimed that while this sounds great, the problem is that it does not work. He said: “Apple's Safari web browser leverages Google's SafeBrowsing initiative to block both malicious URLs and phishing sites. Not so for mobile Safari on the iPhone. Apple has only chosen to only target phishing sites on the iPhone.
“While Apple would likely argue that malicious content on websites target browser specific vulnerabilities, that is not much of an argument. Attacks that I refer to as naked browser attacks such as cross-site scripting, cross-site request forgery and clickjacking don't discriminate - they impact all browsers equally.
“Moreover, past Apple vulnerabilities suggest that there is no shortage of code sharing between the iPhone OS and OS X. After all, the initial iPhone jailbreaks leveraged a known vulnerable TIFF rendering library. Beyond this, the phishing protection on the iPhone is ineffective.”
He later claimed that having tested a variety of online/validated phishing sites that were identified by PhishTank, they were generally blocked by Safari but none were blocked by Safari Mobile.
“In fact, I have yet to identify a single phishing page blocked on the iPhone. What's clear here is that the functionality for the iPhone is not equivalent to what is being employed by OS X. Why? Apple touts Mobile Safari as the killer app that finally makes surfing the web on a mobile device a realistic proposition and the numbers back up that claim. Surely I can be phished on the iPhone just as I can fall victim browsing the web on my laptop,” said Sutton.