Time Does Not Heal All Wounds: A Longitudinal Analysis of Security-Mechanism Support in Mobile Browsers

Recent market share statistics show that mobile device traffic has overtaken that of traditional desktop computers. Users spend an increasing amount of time on their smartphones and tablets, while the web continues to be the platform of choice for delivering new applications to users. In this environment, it is necessary for web applications to utilize all the tools at their disposal to protect mobile users against popular web application attacks. In this paper, we perform the first study of the support of popular web-application security mechanisms (such as the Content-Security Policy, HTTP Strict Transport Security, and Referrer Policy) across mobile browsers. We design 395 individual tests covering 8 different security mechanisms, and utilize them to evaluate the security-mechanism support in the 20 most popular browser families on Android. Moreover, by collecting and testing browser versions from the last seven years, we evaluate a total of 351 unique browser versions against the aforementioned tests, collecting more than 138K test results. By analyzing these results, we find that, although mobile browsers generally support more security mechanisms over time, not all browsers evolve in the same way. We discover popular browsers, with millions of downloads, which do not support the majority of the tested mechanisms, and identify design choices, followed by the majority of browsers, which leave hundreds of popular websites open to clickjacking attacks. Moreover, we discover the presence of multi-year vulnerability windows between the time when popular websites start utilizing a security mechanism and when mobile browsers enforce it. Our findings highlight the need for continuous security testing of mobile web browsers, as well as server-side frameworks which can adapt to the level of security that each browser can guarantee.