In a critical area that informs user decisions -- the incorporation of tiny graphical indicators in a browser's URL address field -- all of the leading mobile browsers fail to meet security guidelines recommended by the World Wide Web Consortium for browser safety, researchers at the Georgia Institute of Technology reported Wednesday.
The graphic icons are called either SSL (secure sockets layer) or TLS (transport layer security) indicators and serve to alert users when their connection to the destination website is secure and the website they see is actually the site they intended to visit.
Without that graphical confirmation of a secure site, even expert users have no way to determine if the websites they visit are real or impostor sites phishing for personal data, the researchers said.
"We found vulnerabilities in all 10 of the mobile browsers we tested, which together account for more than 90 percent of the mobile browsers in use today in the United States," computer science Professor Patrick Traynor said.
"The basic question we asked was, 'Does this browser provide enough information for even an information-security expert to determine security standing?' With all 10 of the leading browsers on the market today, the answer was no."
The Web consortium has recommended how SSL indicators should be built into a browser's user interface and desktop browsers do a good job of following those recommendations, researchers said, but in mobile browsers the guidelines are followed inconsistently at best and often not at all.
"Research has shown that mobile browser users are three times more likely to access phishing sites than users of desktop browsers," Georgia Tech doctoral student Chaitrali Amrutkar said. "Is that all due to the lack of these SSL indicators? Probably not, but giving these tools a consistent and complete presence in mobile browsers would definitely help."