Pinched screen real estate on iPhone devices may make it easier for users to be fooled into using bogus “phishing” Web sites, according to an analysis by researcher Nitesh Dhanjani.
In a post on the SANS Application Security Street Fighter Blog on Monday, Dhanjani called attention to the common practice of hiding the Web address once Web pages and applications have loaded. That practice, coupled with the ability of application programers to render screen elements that can mimic real address bars, could throw open the door to the kinds of phishing attacks that modern browsers have long since rendered ineffective.
Dhanjani’s post is the second in a series of pieces that pull back the covers on insecure application security practices used by iPhone. An earlier post focused on loose security practices for processing URLs. In his latest work, Dhanjani argues that, while the iPhone Safari browser may not allow URLs to be spoofed, the Safari address bar is typically hidden immediately after a Web page has loaded, removing a key visual queue to users that they may have visited a bogus Web page. At the same time, application developers can programmatically render a bogus address bar graphic that creates the false impression that the user has landed at a legitimate Web site.
To illustrate his point, Dhanjani created a spoof Web page designed to resemble the Bank of America mobile banking Web site. After loading the Web site on the iPhone Safari browser, Safari adjusts the screen to hide the real address bar, while Dhanjani programmatically superimposes a bogus Address bar at the top of the visible area of the screen, creating the impression that the user is at the bankofamerica.com Web site.
The problem isn’t limited to the iPhone, either. Dhanjani found that applications for iPad, also, frequently hide the address bar away to maximize the screen real estate available for other content.
Fortunately, it isn’t a difficult problem to fix. Dhanjani said an existing tools available to developers for applications that use iOS, Apple’s mobile operating system, allows the URL to be displayed within applications. Apple need only develop clear policies and set default behaviors that encourage that behavior.
Apple didn’t immediately respond to a request for comment from Threatpost.com.
