Nokia 'hijacks' mobile browser traffic, decrypts HTTPS data

Nokia 'hijacks' mobile browser traffic, decrypts HTTPS data

Summary: A security researcher has found that some Nokia phones pass secure HTTPS data through Nokia's servers, and this data is decrypted so it can be compressed, in order to reduce data bills. But, Nokia doesn't need a lesson in security -- it needs one in public relations.

SHARE:
TOPICS: Security, Nokia
11

Nokia has caused a stir by performing, in the words of one security researcher, "man in the middle attacks" in order to compress data and speed up the loading of Web pages on some of its phones.

asha303whatsapp_500x375
Nokia Asha phones send secure HTTPS data to Nokia servers, says security researcher.

The Finnish phone giant has since admitted that it decrypts secure data that passes through HTTPS connections -- including social networking accounts, online banking, email and other secure sessions -- in order to compress the data and speed up the loading of Web pages.

But, Nokia says that there is nothing to worry about. 

Researcher Gaurang Pandya discovered that browser traffic from his Nokia (Series 40) "Asha" phone was being routed through Nokia's servers. This is no different to how Opera Mini works or even the BlackBerry browser, and remains popular in areas where the cell service is poor or in developing nations where cash doesn't grow on trees.

Nokia, however, goes one step further, the researcher says. A second post by Pandya, published this week, stated that Nokia was "man in the middle" attacking HTTPS traffic on its user's phones. In simple terms, HTTPS traffic was being routed through Nokia's servers, and could be accessed by Nokia in unencrypted form. 

From the tests that were preformed, it is evident that Nokia is performing Man In The Middle Attack for sensitive HTTPS traffic originated from their phone and hence they do have access to clear text information which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature.

He notes that whether be it "HTTP or HTTPS sites when browsed through the phone," Nokia has "complete information unencrypted (in clear text format) available to them for them to use or abuse."

He also noted that in Nokia's privacy statement, it states: "The URLs of such sites which you access with the Nokia Browser are stored by Nokia." However, it does point out that: "Your browsing is not associated to any personally identifiable information and we do not collect any usernames or passwords or any related information on your purchase transactions, such as your credit card number during your browsing sessions."

Nokia responded to the claims and issued a statement. The phone maker points out that this practice is solely so "users can get faster Web browsing and more value out of their data plans." After all, Nokia phones are still popular in developing countries where data is expensive and reducing one's bills is an absolute necessity. 

We take the privacy and security of our consumers and their data very seriously.

The proxy servers do not store the content of web pages visited by our users or any information they enter into them. Nokia has implemented appropriate organizational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate.

But the phone maker also said:

When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users' content, it is done in a secure manner.

In other words, yes Nokia does decrypt your secure browsing data but it's not a big deal. 

The problem stands that Nokia hasn't told anyone it does this. What Nokia says in its privacy policy and what the security researcher discovered does not seem to add up. While the practice of wanting to cut down on user data bills is far from a bad thing -- Opera does this, RIM does this with BlackBerry smartphones -- these companies openly state what the process is. 

There is almost no doubt that Nokia not doing anything with user or customer data. It isn't one giant nefarious scheme to harvest usernames and passwords to acquire vast amounts of money from bank accounts because the company's finances stink. (Besides, Nokia is based in Finland, a member of the EU. If Nokia was abusing user data and its customers' privacy, the European authorities would come down so hard on the company, it would -- at least the state it is in -- bankrupt it.)

Nokia should learn from this. What it is doing isn't bad as such. If Nokia was up-front about the whole process, there may have been rumblings from the security industry but there wouldn't have suffered a public relations napalm to the company's reputation.

Topics: Security, Nokia

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • No news here.

    Another attempt to bash Nokia. That so called security "researcher" should try to expose what Google collects and does with user data, because they are truly evil.
    Owlll1net
  • Doesn't tell anyone?

    "The problem stands that Nokia hasn't told anyone it does this."

    http://www.nokia.com/global/products/phone/asha302/
    "It’s got 3.5G connectivity for faster browsing, plus smart data compression to keep your costs down."

    It absolutely is telling everyone it is doing data compression. Let's look at Opera Mini:
    http://www.opera.com/mobile/features/
    "Opera Mini uses only a tenth of the bandwidth of other browsers, compressing webpages by up to 90%."

    No mention of Opera "hijacking" your data, decrypting your HTTPS, and stealing your credentials.

    Let's take a look at the browser that is always recommended whenever anyone dares suggest ios doesn't support flash:
    http://www.skyfire.com/en/for-consumers/iphone

    Nope, no mention of hijacking, stealing credentials, man-in-the-middle attacks on iphone.

    I actually agree with you, they ALL should be making it VERY clear that they are technically performing classic man-in-the-middle attacks. However, to suggest that Nokia is the only one not publicizing this is simply not true. If you want flash on your iphone, you can only do it by giving up 100% of your privacy. Please make sure you write about that next.
    toddbottom3
  • Nokia 'hijacks' mobile browser traffic, decrypts HTTPS data

    Complete non-story, quite a few mobile browsers are compressing so as not to eat into the data plan.
    Loverock-Davidson
  • What's Affected?

    Traffic encrypted between IE and a web server should be impossible for Nokia to decrypt. Isn't that the whole idea of SSL? Are they able to decrypt stuff when they can build something into the browser that gives them the keys to the encryption? In that case, does this only affect Asha phones?
    WebSiteManager
  • 1st 3 posts by Owll, Toddy, and Loverock...the Holy Trinity of pro-MS posts

    Imagine my surprise to see the speed at which these three personas (I say personas as I am yet to be convinced that they are separate people) rush to defend the hive.

    These three try to deflect criticism by saying 'everyone does this' despite the fact that the story explicitly states that Nokia takes this further... "Nokia, however, goes one step further, the researcher says. "

    I don't know how bad this is...or not. But, I am amused by the rush to post by the three Usernames that I consider at the top of my list of suspected professionals who are paid to post here by MS or its agency.
    UGottaBKidding
    • "Holy Trinity of pro-MS posts ...

      ...Imagine my surprise to see the speed at which these three personas (I say personas as I am yet to be convinced that they are separate people) rush to defend the hive."

      And how this is related to MS? We talking here about Symbian OS (Series 40) and Nokia Browser, not Windows Phone and Internet Explorer. I don't see how this implicates MS.
      Mr.SV
      • Perhaps you're right...

        It's just odd to see the three most vehemently pro-MS (and anti-Apple and Google) Usernames leaping in so quickly to defend Nokia like this. Perhaps they felt the need because of the close brand tie with the Nokia Lumia 920 being a Windows 8 phone flagship? I've been wrong before...but it's hard to see an alternate explanation given their crystal clear posting history.
        UGottaBKidding
        • Right...But...

          ...this has nothing to do with Microsoft or Windows. This has to do with the Nokia Browser running on Asha and (perhaps) any Symbian devices using the Nokia Browser with "Bandwidth Reduction" enabled.
          Paul Newell
      • Twisted Toddy, that's how!

        No matter what the subject, if Toddy posts, he bashes the iPhone. Toddy is pro-MS, which is WP8, which is Nokia Lumina. The entire "holy trinity" defend MS to the end because they are paid to do it.

        It has nothing to due with the WP8 failure in the marketplace, only with Nokia being one of the few to use that terrible OS, but if they did not, and stuck with Symbian, they'd be bashing Nokia as well.

        UGottaBKidding is just doing a public service for the good of the many.
        Gr8Music
  • Forged Certs Or Browser Backdoor?

    I agree with WebSiteManager above. There are serious security implications to this action, because there are only two ways (that I can think of) that it could be achieved: either by an ability to forge SSL certs, or by a backdoor built into Nokia's browser.

    Remember the old saying, that any security system is only as strong as its weakest point? The last thing we need is companies that think they know best for their customers, introducing additional weak points into the system.

    Nokia, you FAIL at security.
    ldo17
  • Statement from Nokia yesterday!

    This is old news..

    Here's our statement issued yesterday:

    "We take the privacy and security of our consumers and their data very seriously. The compression that occurs within the Nokia Xpress Browser means that users can get faster web browsing and more value out of their data plans. Important…See more"We take the privacy and security of our consumers and their data very seriously. The compression that occurs within the Nokia Xpress Browser means that users can get faster web browsing and more value out of their data plans. Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them. When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users’ content, it is done in a secure manner.

    Nokia has implemented appropriate organizational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate.

    We aim to be completely transparent on privacy practices. As part of our policy of continuous improvement we will review the information provided in the mobile client in case this can be improved.”
    gtee