The iPhone's new defense — meant to prevent users from reaching phishing sites — is inconsistent at best, a security researcher said today, with some users getting warnings about dangerous links, while others are allowed to blithely surf to criminal URLs.
Other experts said that the fickle feature is worse than no defense at all.
Apple quietly added an anti-fraud feature to the iPhone's Safari browser with the update to iPhone 3.1, released Wednesday. But according to Michael Sutton, the vice president of security research at Sunnyvale, Calif.-based Zscaler, the new protection is “clearly having issues.”
At first, said Sutton, the anti-phishing feature was simply not working. “It was blocking nothing,” Sutton claimed after testing iPhone 3.1's new tool Wednesday against a list of known fraudulent sites. By Thursday, things had improved, but just barely. “Yesterday, it started blocking some sites, for some users, but it was inconsistent. Some sites are being blocked, others are not.”
That led Sutton to believe that the feature's functionality wasn't the issue, but how Apple updates users with a “blacklist” of malicious sites. Apple relies on Google's SafeBrowsing API (application programming interface) for the underlying data used to build anti-phishing and anti-malware blocking lists for the desktop edition of its Safari browser. Other browser makers, including Google and Mozilla, also use SafeBrowsing.
“It appears some iPhones are getting timely updates [from Apple], but others are not, or are getting different [block list] feeds,” Sutton said. “I'm feeling better about the feature than I was Wednesday, but clearly Apple is still have issues. With the [media] coverage of the problem, maybe they're resolving it, or trying to.”
On Thursday, researchers at Intego, a Mac-only antivirus vendor, echoed Sutton's findings.
“This feature should warn users that they may be visiting a known malicious Web site and ask if they wish to continue,” said Peter James, a spokesman for Intego who writes the company's Mac security blog. “However, we have extensively tested this feature, tossing dozens of phishing URLs at it, and it simply does not seem to work. URLs that are blocked by Safari in Mac OS X open and direct users to malicious pages [on the iPhone].”
Like Sutton, James reported inconsistencies in the anti-fraud feature's effectiveness. “All we've come up with is that sometimes it works and sometimes it doesn't,” said James. “This is clearly more dangerous than no protection at all, because if users think they are protected, they are less careful about which links they click.”
The new feature is turned on by default in iPhone 3.1; the option to turn it off is in Settings/Safari/Security, and is listed as “Fraud Warning.”
Sutton, although willing to concede that Apple overall is improving its security track record, bemoaned the state of mobile security in general, and the iPhone's in particular.
“The greater concern to me is that we're making the same mistakes in mobile that we made on the desktop,” he said. “On the desktop, security has gotten slowly better, but [with mobile] we have a fresh start. I would have thought we would have learned from our mistakes, but there's virtually no protection in mobile browsers.”
According to research conducted by NSS Labs, which was hired by Microsoft to benchmark different desktop browsers' ability to block malware-laden sites, Safari in Mac OS X and Windows blocked only one-in-five malicious sites. Internet Explorer and Firefox, meanwhile, blocked 80% and 27%, respectively. Google's Chrome blocked a paltry 7% of the sites.
Last month, NSS Labs attributed the disparities between Firefox, Safari and Google — all which use SafeBrowsing as the basis for their blacklists, to differences in how each browser tweaked, then applied, the lists.