Visible to the public Meddling Middlemen: Empirical Analysis of the Risks of Data-Saving Mobile Browsers

TitleMeddling Middlemen: Empirical Analysis of the Risks of Data-Saving Mobile Browsers
Publication TypeConference Paper
Year of Publication2020
AuthorsKondracki, B., Aliyeva, A., Egele, M., Polakis, J., Nikiforakis, N.
Conference Name2020 IEEE Symposium on Security and Privacy (SP)
Keywordsbrowser security, Browsers, compositionality, Ecosystems, Google, Human Behavior, Metrics, privacy, pubcrawl, resilience, Resiliency, security, Web servers
AbstractMobile browsers have become one of the main mediators of our online activities. However, as web pages continue to increase in size and streaming media on-the-go has become commonplace, mobile data plan constraints remain a significant concern for users. As a result, data-saving features can be a differentiating factor when selecting a mobile browser. In this paper, we present a comprehensive exploration of the security and privacy threat that data-saving functionality presents to users. We conduct the first analysis of Android's data-saving browser (DSB) ecosystem across multiple dimensions, including the characteristics of the various browsers' infrastructure, their application and protocol-level behavior, and their effect on users' browsing experience. Our research unequivocally demonstrates that enabling data-saving functionality in major browsers results in significant degradation of the user's security posture by introducing severe vulnerabilities that are not otherwise present in the browser during normal operation. In summary, our experiments show that enabling data savings exposes users to (i) proxy servers running outdated software, (ii) man-in-the-middle attacks due to problematic validation of TLS certificates, (iii) weakened TLS cipher suite selection, (iv) lack of support of security headers like HSTS, and (v) a higher likelihood of being labelled as bots. While the discovered issues can be addressed, we argue that data-saving functionality presents inherent risks in an increasingly-encrypted Web, and users should be alerted of the critical savings-vs-security trade-off that they implicitly accept every time they enable such functionality.
Citation Keykondracki_meddling_2020