Apple have been criticised by security researchers who have described anti-phishing measures on the iPhone as “ineffective”.
Michael Sutton, vice president of security researcher Zscaler claimed that functionality found in the majority of web browsers, as well as most antivirus software packages, to protect users from phishing attacks was missing from the iPhone browser, despite a recent security update.
It is claimed that whilst the latest version of the iPhone software, version OS 3.1, comes with anti phishing measures that warn users when they come across a suspicious site, the feature failed to adequately warn researchers about known malicious websites. Researchers claimed that such sites were however blocked by the PC version of the Safari browser, the browser installed by default on the iPhone.
Sutton claimed that whilst the anti phishing measures are a welcome addition to the iPhone OS, the features simply do not work.
“Apple’s Safari web browser leverages Google’s SafeBrowsing initiative to block both malicious URLs and phishing sites,” said Sutton. “Not so for mobile Safari on the iPhone. Apple has only chosen to only target phishing sites on the iPhone.
“While Apple would likely argue that malicious content on websites target browser specific vulnerabilities, that is not much of an argument. Attacks that I refer to as naked browser attacks such as cross-site scripting, cross-site request forgery and clickjacking don’t discriminate – they impact all browsers equally.
“Moreover, past Apple vulnerabilities suggest that there is no shortage of code sharing between the iPhone OS and OS X. After all, the initial iPhone jailbreaks leveraged a known vulnerable TIFF rendering library. Beyond this, the phishing protection on the iPhone is ineffective.”
Sutton later claimed that having tested a variety of online/validated phishing sites that were identified by PhishTank, they were generally blocked by Safari but none were blocked by Safari Mobile.
“In fact, I have yet to identify a single phishing page blocked on the iPhone. What’s clear here is that the functionality for the iPhone is not equivalent to what is being employed by OS X. Why? Apple touts Mobile Safari as the killer app that finally makes surfing the web on a mobile device a realistic proposition and the numbers back up that claim. Surely I can be phished on the iPhone just as I can fall victim browsing the web on my laptop,” he questioned.
