Nokia mobile devices redirect Web requests to Nokia-owned proxy servers where header information including credentials are stored in clear text, putting anything from banking sessions to social media accounts at risk, a researcher claims. India-based researcher Gaurang Pandya, an infrastructure security architect with Unisys Global Services, said Nokia is performing the equivalent of a man-in-the-middle attack on Web traffic from the Nokia browser embedded in the phone. Pandya tested his work on the Nokia Asha 302 handset running the Series 40 operating system.
“Be it [a] HTTP or HTTPS site, when browsed through the phone in subject, Nokia has complete information unencrypted (in clear text format) available to them for them to use or abuse,” Pandya wrote on his personal blog.
A Nokia representative told Tech Week Europe the traffic redirection is done in order to speed up traffic and services; Nokia said its staff does not look at unencrypted content.
“The compression that occurs within the Nokia Xpress Browser means that users can get faster Web browsing and more value out of their data plans,” a spokesperson told Tech Week Europe. “Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them. When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users’ content, it is done in a secure manner.
“Nokia has implemented appropriate organizational and technical measures to prevent access to private information,” the rep said. “Claims that we would access complete unencrypted information are inaccurate.”
Pandya happened upon the situation while browsing checkip.dyndns.org, which produces the IP address used by the browsing device, he said. Rather than Web requests going directly to the requested Web server, traffic over the Nokia browser is redirected to Nokia/Ovi proxy servers. If the phone’s Opera browser is used, requests are directed to the Opera proxy servers.
“Not just site browsing using their Web browser, but also some built-in applications such as [the] mail client and Twitter client (these are tested ones) seem to use [the] same Nokia browser, hence traffic for those applications as well is proxied through Nokia servers,” Pandya said. “Even after checking various settings, I could not see any straightforward way to bypass this proxy setting and let my Internet traffic pass through normally. This behavior is noticed regardless of whether the browsing is done through 3G or Wifi network connections.”
Pandya investigated further with HTTPS traffic; since header information is not viewable, he checked whether DNS requests were sent for the requested site and whether the certificate was sent from the server. A DNS query for a request to Google, for example, was sent instead to Nokia’s Ovi cloud service, the same host where HTTP requests were sent. He said no attempt was made to try to resolve the HTTPS request for Google.
As for the certificate check, he discovered that Nokia preconfigured the phone to trust the Nokia Ovi certificate; a reason no security alerts were raised on the phone, he said.
Tyler Shields, a senior security researcher with Veracode, said this was unusual behavior for a carrier on the mobile device level. Some security companies, for example, will redirect Web requests through their networks for security checks. Carrier traffic redirects are often done to optimize speed and delivery, for example, giving certain data types such as voice over IP or streaming media elevated quality of service over traditional data. Sometimes it’s also done for security reasons to cut off a fast-spreading worm.
“When anything is transmitted in the clear, it’s always a problem,” Shields said. “When traffic like that is being forced across a specific network, it begs privacy and security concerns. There’s no proof they’re invading a user’s privacy, but they are giving themselves an opportunity to do so.”