iPhone's anti-phishing protection offers inconsistent results

iPhone's anti-phishing protection offers inconsistent results

Summary: Apple's iPhone OS 3.1 update includes a new fraud warning feature which is at least theoretically, supposed to warn users when visiting fraudulent websites in Safari Mobile.

SHARE:

Apple's iPhone OS 3.1 update includes a new fraud warning feature which is at least theoretically, supposed to warn users when visiting fraudulent websites in Safari Mobile.

However, due to a flawed implementation in the update mechanism, the feature -- enabled by default -- is offering inconsistent results based on the tests performed by security company Intego, and security researcher Michael Sutton from Zscaler, whose posts basically state that "it simply doesn't work".

Here's how they tested the feature:

The tests were conducted by pulling data of valid phishing sites from the Phishtank, and attempting to visit these sites in Safari and Safari Mobile, which resulted in their successful detection in Safari, but didn't trigger a warning when visiting the same sites on the iPhone's Safari Mobile.

The cause for these inconsistent results appears to be a flawed update mechanism, lacking any transparent way of communicating when was the last time an update took place, as well as a built-in "valid time" interval indicating that an outdated anti-phishing database is in use.

A few minutes ago, Intego posted an update to the original post in regard to the varying results:

We’ve had a number of people test this, and some people get warnings for sites that others can load just fine. We’ve tried isolating locations, iPhone/iPod touch models, and whether they are connecting over a cell network or via wifi, but all we’ve come up with is that sometimes it works and sometimes it doesn’t. This is clearly more dangerous than no protection at all, because if users think they are protected, they are less careful about which links they click.

The company makes a good point, however, there are several more issues to consider. For instance, in comparison to Safari Mobile's fraud warning feature and its lack of transparency into the update mechanism, a commercial iPhone app called Site Check is utilizing the SafeBrowsing API in between offering a transparent way of knowing the last time a database update took place, with the option to manually pull one at any particular moment in time. This very same practice should also be implemented in the fraud warning feature.

Moreover, an assessment of the fraud warning feature at Macworld, points out that compared to Google Classic run on Safari Mobile, Google Mobile isn't showing potentially harmful and fraudulent web sites, once again leaving users with the impression that they're surfing the web and clicking on links under the umbrella of the SafeBrowsing initiative.

Transparent processes and customerization always translate into improved customer satisfaction, in this particular case, improved security as well.

Topics: Operating Systems, Apple, Enterprise Software, Hardware, iPhone, Legal, Mobility, Security, Smartphones

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • But Apple says just the opposite

    [i]it simply doesn't work.[/i]

    But Apple says its stuff "Just Works". Someone isn't telling the whole truth.
    NonZealot
    • At least they're trying...

      What about IE on the Windows Mobile platform? Or Opera? Or Fennec?
      None of them provide any form of anti-phishing at all. How does the
      anti-phishing filter on a Nokia perform? Oh! It doesn't. Same old rhetoric
      from another mindless troll. As if Microsoft always tell the truth. People
      in glass houses...

      Do us all a favour and get another hobby. Knitting perhaps?
      UsernameRequired
      • silly

        Q:
        "What about IE on the Windows Mobile platform?
        Or Opera? Or Fennec?
        None of them provide any form of anti-phishing
        at all."
        A:
        This is clearly more dangerous than no
        protection at all, because if users think they
        are protected, they are less careful about
        which links they click.

        Or to put it another wat: "Do or do not, there
        is no try."
        Hagbard_Celine
      • Fail on all counts

        [i]At least they're trying...[/i]

        Are you kidding me? At least they are trying? Buddy, you need some Apple Apologist training because that was terrible.

        [i]As if Microsoft always tell the truth.[/i]

        What does Microsoft have to do with the [b]fact[/b] that Apple's latest software effort is a major fail?
        NonZealot
    • Please. Don't drag the Macbook PRO and MacPro adverts into iPhone.

      You know better. After all, you purchased a MacBook Pro 'because it just works' and 'it works better'.
      No More Microsoft Software Ever!
  • RE: iPhone's anti-phishing protection offers inconsistent results

    <delete>
    Hagbard_Celine
  • Time for retraction

    According to Mr. Sutton's site "[Update: 09-11-09 @ 4:27pm
    EST - It would appear that the wrinkles have largely been
    ironed out."
    matthew_maurice
  • ZDNet = Horrid reporting.

    Jeez! One story about someone hacking into a jailbroken iPhone using the SSH installed during the jailbreak and suddenly all this 'made up' nonsense!

    To make matters worse ZDNet regurgitates a 2 month old story for more hits! ZDNet - you are a JOKE!
    No More Microsoft Software Ever!
  • RE: iPhone's anti-phishing protection offers inconsistent results

    Great!!! thanks for sharing this information to us!
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut