Most of us may pay attention to safe Internet browsing on our computers, but our littlest computers — smartphones — bear closer watching, says a new study from Georgia Tech, which contends that mobile Web browsers are "unsafe enough that even cyber security experts are unable to detect when their smartphone browsers have landed on potentially dangerous websites."
"We found vulnerabilities in all 10 of the mobile browsers we tested, which together account for more than 90 percent of the mobile browsers in use today in the United States," said Patrick Traynor, assistant professor at Georgia Tech’s School of Computer Science, in a release.
"The basic question we asked was, 'Does this browser provide enough information for even an information-security expert to determine security standing?' With all 10 of the leading browsers on the market today, the answer was no."
The browsers studied by Traynor and Chaitrali Amrutkar, a Ph.D. student in the School of Computer Science, included: Android, BlackBerry Mango, BlackBerry Webkit, Chrome Beta, Firefox Mobile, iPhone Safari, Opera Mini, Opera Mobile, Windows IE Mobile, Safari on iPad 2.
Chet Wisniewski, senior security adviser at Sophos, told NBC News he agrees "100 percent" with the Georgia Tech findings.
"While we are seeing ever-increasing amounts of malware for the Android platform, all mobile devices are at risk of their users being phished or scammed," he said.
Georgia Tech said that like desktop Web browsers, mobile versions use various security and cryptographic tools for security.
"However, in one critical area that informs user decisions — the incorporation of tiny graphical indicators in a browser’s URL field — all of the leading mobile browsers fail to meet security guidelines recommended by the World Wide Web Consortium (W3C) for browser safety, leaving even expert users with no way to determine if the websites they visit are real or impostor sites phishing for personal data."
The smaller screen sizes on phones, Traynor said, also make it harder to verify whether browsers are using SSL ("secure sockets layer") or TLS ("transport layer security") indicators, which alert users to whether their connection to a website is secure and is actually the site they're intending to visit.
"The tiny 'lock' icon that typically appears in a desktop browser window when users are providing payment information in an online transaction is one example of an SSL indicator," Traynor and Amrutkar said in the release. "Another is the 'https' keyword that appears in the beginning of a desktop browser’s URL field."
Often, "there simply isn’t room to incorporate SSL indicators in same way as with desktop browsers. However, given that mobile devices are widely predicted to face more frequent attacks from cyber-criminals, the vulnerability is almost sure to lead to increased cyber-crime unless it is addressed."
Mobile browser users, Amrutkar said in the release, are "three times more likely to access phishing sites than users of desktop browsers ... Is that all due to the lack of these SSL indicators? Probably not, but giving these tools a consistent and complete presence in mobile browsers would definitely help."
Sophos' Wisniewski said he's familiar with the problem of users having a "lack of context when clicking links in an email or surfing on tablets and mobile devices."
Users should "take the same precautions they would in real life," he said. "When they receive a solicitation that is 'incoming,' they should never respond. Always open your browser and directly contact the organization you believe to be contacting you. Don't click on links in email and stay vigilant. It is more difficult to tell if a site is secure when surfing on your mobile, so just be sure that anything you do that requires security is something you initiate and type the address in before continuing."
He also said users should not "bypass" any warning messages they get from their Web browsers about problems with a site they might have just clicked on.
"If you get a warning from your browser about encryption or certificates, do not proceed," he said. "Close your browser and either type in the address again or give up."