Share
The newest update to the iPhone (OS 3.1) is being marketed with the mention of anti-Phishing protections. However, one researcher discovered that while Safari, when used on OS X, offers some decent Phishing protection, Safari Mobile, used on OS 3.1 for the iPhone, offered no Phishing protection at all.
Newest iPhone update lacks Phishing protection as advertised. (IMG: Apple)
According to Apple, the new iPhone OS 3.1 will warn you, “when visiting fraudulent websites in Safari (anti-phishing).”
However, when SaaS security vendor Zscaler’s Vice President of Security Research, Michael Sutton, tested the anti-Phishing features of OS 3.1 on the iPhone, he found them ineffective.
“I've tested a variety of online/validated [PhishTank CSV File] phishing sites from PhishTank. They were generally blocked by Safari, but none were blocked by Safari Mobile. In fact, I have yet to identify a single phishing page blocked on the iPhone.”
“What's clear here is that the functionality for the iPhone is not equivalent to what is being employed by OS X. Surely I can be phished on the iPhone just as I can fall victim browsing the web on my laptop,” Sutton commented on the Zscaler research blog.
That may be true, but some people think otherwise. According to a survey of 1,000 Smartphone and iPhone users, conducted by Trend Micro in August, 44-percent said that surfing the Internet on their phone is just as safe, if not safer, than doing so on their computers. However, 20-percent of those who talked to Trend Micro admitted that they have seen Phishing related email, so it does happen.
Sutton asked for comments in his post, if anyone came across a Phishing site blocked by Safari on OS 3.1, as well as asking someone from Apple to explain why there is watered down Phishing coverage on the iPhone. At the time this article went to press, there were no comments. The Tech Herald emailed Apple for comments, and if we hear back from them, we will update this story.
The anti-Phishing measures on Safari use Google’s SafeBrowsing initiative, which will block both Phishing domains, as well as domains that are just malicious by nature. Yet, according to Sutton, only the Phishing protection is offered on Safari Mobile.
“While Apple would likely argue that malicious content on web sites target browser specific vulnerabilities, that's not much of an argument,” Sutton wrote, pointing out that naked browser attacks, such as Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and Clickjacking, “don't discriminate - they impact all browsers equally.”
“Moreover, past Apple vulnerabilities suggest that there is no shortage of code sharing between the iPhone OS and OS X. After all, the initial iPhone jailbreaks leveraged a known vulnerable TIFF rendering library,” he added.
As mentioned, we will keep up with this story, and if we hear back from Apple we will update with their comments.
Related to the release of the 3.1 software are the security fixes that came with it. While Sutton discovered an apparent flaw in the anti-Phishing, Apple patched 10 vulnerabilities in OS 3.1, 3.1.1 for the iPhone and iPod Touch. The details on the security patches are here.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story