论文信息 - Phishing on Mobile Devices

Phishing on Mobile Devices

We assess the risk of phishing on mobile platforms. Mobile operating systems and browsers lack secure application identity indicators, so the user cannot always identify whether a link has taken her to the expected application. We conduct a systematic analysis of ways in which mobile applications and web sites link to each other. To evaluate the risk, we study 85 web sites and 100 mobile applications and discover that web sites and applications regularly ask users to type their passwords into contexts that are vulnerable to spoofing. Our implementation of sample phishing attacks on the Android and iOS platforms demonstrates that attackers can spoof legitimate applications with high accuracy, suggesting that the risk of phishing attacks on mobile platforms is greater than has previously been appreciated.

A. Porter

[1] Marti A. Hearst,et al. Why phishing works , 2006, CHI.

[2] Hao Chen,et al. iPhish: Phishing Vulnerabilities on Consumer Electronics , 2008, UPSEC.

[3] Markus Jakobsson,et al. Implicit authentication for mobile devices , 2009 .

[4] David A. Wagner,et al. Conditioned-safe ceremonies and a user study of an application to web authentication , 2009, NDSS.

[5] Baptiste Gourdin. Framing Attacks on Smart Phones and Dumb Routers: Tap-jacking and Geo-localization Attacks , 2010, WOOT.

[6] Franco Callegati,et al. Splitting the HTTPS Stream to Attack Secure Web Connections , 2010, IEEE Security & Privacy.

[7] A. Porter. The Effectiveness of Install-Time Permission Systems for Third-Party Applications , 2010 .

[8] David A. Wagner,et al. Analyzing inter-application communication in Android , 2011, MobiSys '11.