sign in sign up
<<
Home , Access key, Avant Browser, Blazer (web browser), Browser helper object, Browser security, Dolphin Browser

A Summer Internship Project Report On Analysis and Design of Browser for secure mobile payments Carried out at the Institute of Development and Research in Banking Technology During 20th May – 20th July 2014

Submitted by: SUHANI GARG Integrated M.Tech 3rd Year Mathematics and Computing 11412EN005 IIT-BHU (Varanasi)

Under the Guidance of Dr. V.N.Sastry Professor IDRBT, Date of Submission: 18th July 2014

1

ABSTRACT

Mobile banking is easy, saves a lot of effort and time. Losses attributed to financial fraud are alarming. via a is similar to home banking. Browsing-based threats for are just the same as those for which is just as important as PC security. Apart from various browsers available in market, there are several proxies which infect by taking advantage of vulnerabilities in , thereby modifying ones transactions and web content. Authentication is a technique to identify a person’s identity. Transaction authentication includes id and password, IP address, geolocation, hardware, time of day and previous user pattern of behaviour. Geolocation authentication is an important type of transaction authentication.

The of the project is to make a comparative analysis of the various desktop and mobile browsers available in the market, study their features and to develop a new secure mobile browser especially for banks including a new way of authentication which includes security of mobile transactions. So, in addition to id and password, geolocation tells banks from which place transaction are going to take place. Hence, it helps banks to provide secure transactions.

2

CERTIFICATE

This is to certify that the summer internship project report entitled “Analysis and Design of Browser for Secure Mobile Payments” submitted by SUHANI GARG, I.M.tag">D.(MnC) 3rd Year, IIT-BHU(Varanasi) to Institute for Development and Research in Banking Technology (IDRBT), Hyderabad is a record of bonafide work carried out by her under my supervision and guidance during 20th May 2014 to 18th July 2014.

(Dr. V.N.Sastry) Professor, IDRBT. Project Guide

3

DECLARATION

I SUHANI GARG hereby declare that this Dissertation entitled “ANALYSIS AND DESIGN OF BROWSER FOR SECURE MOBILE PAYMENTS” submitted by me under the guidance and supervision of Dr. V.N. Sastry, Professor, IDRBT, is a bonafide work. I also declare that it has not been submitted previously in part or in full to this University or other University or Institution for the award of any degree or diploma.

Date:18/07/2014 Name: SUHANI GARG

Signature of the Student

4

ACKNOWLEDGEMENTS

First, and foremost I would like to express my sincere gratitude to my project supervisor Dr. V.N.Sastry, Professor, IDRBT, Hyderabad, who guided me all through the project and showed me the right path. His engagement in my project and his stream of ideas have been absolutely essential for my results presented here. I am very thankful that he has spent so much time with me during my project work. My honourable thanks to Shri.B.Sambamurthy, Director, IDRBT for providing excellent labs and . I would also like to thank IDRBT staff. I thank IDRBT for providing me with necessary infrastructure and technical support that was required for this project. Finally, I express my gratitude to my parents and friends for their valuable suggestions and moral support.

SUHANI GARG Integrated M.Tech 3rd year Department of Mathematical Sciences IIT-BHU (Varanasi) : suhanigarg7671@.com Ph: +91-7704094623

5

CONTENTS

Abstract Acknowledgement Certificate 1. Introduction 1.1 1.2 Browsers 1.3 Protocols 1.4 Authentication 1.5 Browser Tools 1.6 Conclusion

2. Analysis and Comparison of Desktop Browsers 2.1 Desktop browser and Mobile browser 2.2 Analysis of various desktop browsers 2.3 Best Browser 2.4 Present usage share and future trend of web browser 2.5 Conclusion

3. Analysis and Comparison of Mobile Browsers 3.1 Analysis of various mobile browsers 3.2 Mobile platforms and Security basis 3.3 Mobile Screen Resolution 3.4 Disadvantages of Mobile 3.5 Mobile Networks and Protocols 3.6 Inter-operability 3.7 Future of Mobile browsers 3.8 Conclusion

6

4. Design and Implementation of Browser for secure Mobile Banking 4.1 Secure mobile banking 4.2 Browser attacks on banking 4.3 Design and Implementation 4.4 Conclusion

5. Conclusions and Future Work References

7

Chapter 1 : Introduction

In this chapter, basics about websites, their features, various types of websites available. Browser and their distinguishing features, list of some browsers are presented. Then it describes about various protocols and its layers, authentication and different types of authentication available. Lastly, the various common i.e. advantages of using HTML, HTML5 and XML are presented.

1.1 Websites is the very first thing that we see in a browser. A website is set of web pages hosted on at least one web . It is accessible via an Internet or local area network through Uniform resource locator. There are various characteristics to make an effective website. 1. Appearance :- A site must be polished, visually appealing and professional outlook. Some guidelines to improve this are meaningful graphics, good use of colour, text easily readable, simplicity and quality photography. 2. Content :- A good site should have relevant and informative substance. Some guidelines to improve this are short and organized copy, speak to visitors, update content regularly, unique content and consider a professional to write and edit. 3. Functionality :- Every component of a website should work correctly and quickly. For this, it should be error free copy. 4. Usability :- Site must be easy to read, understand and navigate. Some guidelines to improve this are fast loading pages, minimal scroll, consistent layout, simplicity, cross platform / browser compatibility and screen resolution. 5. Optimized 6. User Friendly 7. Mobile Dominated Web 8. Get on Board with

There are various different types of websites. Some of them are :-

1. Personal websites 2. Writers and Authors websites 3. Photo Sharing websites 4. Community building websites 5. websites 6. Blogging websites 7. Directory websites 8. Online Business Brochure/ Catalog websites 9. Informational websites 10. E-Commerce websites

8

1.2 Browsers A web browser is an that allows a computer user to gain to all content that is on Internet as well as hard disk of computer. It allows us to access web pages, images, audio and video , text documents, etc. We can install multiple browsers in computer. Browsers are developed to access information on . The distinguishing areas of browsers are:  Platform : Windows, Mac, BSD, and other Unix  Protocols: FTP, SFTP, SAMBA, HTTP, IMAP, etc.  Layout Engine: , , , KHTML, WebKit  Graphical (GUI)  Proprietary  HTML5 Support  Open Source  Mobile Compatibility

Some features offered by web browsers include downloads, bookmarks, search engine toolbars password management, spell checking, tabbed browsing, HTML access keys, advertisement filtering and pop-up blocking. Some important web browsers are listed below:

Table : Various desktop browsers

Browser Release Latest Version Creator URL Year

Internet Aug,1995 11.0.9 http://microsoft.com/ie Explorer

Mozilla Nov,2004 30.0 http://mozilla.org/firefox

Google Sep,2008 35.0.1916.153 http://www.google.com/chrome Chrome

Safari Jan,2003 7.0.5 Apple http://apple.com/safari

Netscape Dec,1994 8.1.3. http://www.netscape.ca/ns/browser Navigator s/7/download/

Opera 1994 22.0.1471.70 http://www.opera.com/

Lynx 1992 2.8.8 Grobe http://lynx.isc.org/

OmniWeb 1995 5.11.2 Omni Group http://www.omnigroup.com/more

Konqueror Oct,2000 4.13.1 KDE http://www.konqueror.org/

9 iCab 1999 5.2 Clauss http://icab.de/

Camino 2002 2.1.2 Apple http://caminobrowser.org/

Maxthon 2003 4.4.1.200 http://www.maxthon.com/

Netsurf 2002 3.1 NetSurf http://www.netsurf-browser.org/

1.3 Protocols

A standard set of rules that allow two devices to connect and exchange information across each another is called a protocol. Internet protocols include TCP/IP (Transfer Control Protocol/ Internet Protocol), FTP (), HTTP (Hypertext Transfer Protocol) and SMTP (Simple Transfer Protocol). World’s most famous protocol is internet protocol based on open system, suited for LAN and WAN communications and can communicate to any set of interconnected networks. The two best known are Transmission Control Protocol (TCP) and the Internet Protocol (IP).Internet Protocol Suite provides abstraction of protocols using encapsulation. The four layers are:  Application Layer : FTP, DNS, HTTP, SMTP, SNMP, SSH, NTP, SOCKS, SSL, and more  Transport Layer : TCP, UDP, SCTP, RSVP, DCCP and more  Internet Layer : IP (IPv4, IPv6), IPsec, ICMP, ECN, ICMPv6 and more  Link Layer : DSL, PPP, NDP, ARP and more

Internet Protocol version 6 (IPv6) is the current-generation Internet Protocol version designated as the successor to IPv4. IPv6 addresses typically have two parts: a 64-bit network prefix and a 64-bit host address. The IPv6 addressing structure uses hexadecimal notation, normally written as eight groups of four hexadecimal digits, and colons replace the periods used in IPv4. IPv6 has four address types: unicast (one-to-one), anycast (one-to-nearest), multicast (one-to-many), and a reserved class. IPv6 does not support broadcasting. IPv6 runs well in high-performance networks, such as Gigabit Ethernet and ATM networks, and it is also efficient for low- bandwidth networks such as wireless networks. IPv6 offers better security mechanisms, mandating the use of IPsec and IKE. The motivations to bring IPv6 version are fast growing internet and large address space, to provide security feature which is vulnerable as data on internet, to make data prioritization up to date and to make device to have globally unique IP address. IPv6 has many important features like end to end connectivity, simplified header, IPsec, large address space, auto configuration, no broadcast, faster routing, mobility, anycast support, smooth transition, enhanced priority support and extensibility.

10

1.4 Authentication Authentication is a process of determining if an identity or user is who they claim to be. It is dependent on registration processes and identity verification. The various types of authentication are:  Password authentication: It is the most common and least secure one.  Single Sign On authentication: It allows the user to use same id and password to logon to multiple sites. It has now become reduced sign on (RSO) due to use of multiple types of authentication.  Lightweight Directory Access Protocol (LDAP) authentication: It is used by enterprises to tackle with centralized authentication.  Access Control authentication: It is process of allowing user to physically handle or electronically access a facility or enterprise.  Network authentication: It is process of allowing user to authenticate to network as well as get authorization.  Biometric authentication: Process of verifying by using digitized biological pieces of user like finger prints, finger scans, iris scans, face scans, voice recognization, etc.  Strong authentication: It includes security tokens, digital certificates and biometrics types of authentication.  Transaction authentication: In addition of id and password it also includes the IP address, computer hardware, time of day, geolocation and previous user pattern of behaviour.  Federated authentication: It includes the ability to trust an incoming electronic identity to enterprise from a trusted partner or website.  PKI authentication: It is the Public Key Infrastructure type of authentication. Here the system provides trusted third party user identity assurance and inspection.  Security Token authentication: It is like one time password.  Smart Card authentication  Authentication management: It helps to manage identities and their mechanisms.  Wireless authentication: It includes like RADIUS (Remote Authentication Dial- In User Service Protocol) and VOIP (Voice Over Internet Protocol).  Document authentication  Outsourcing authentication

11

1.5 Browser Web Development Tools There are many useful Web development tools that integrate in a browser. These in- browser tools are commonly known as add-ons or extensions. In-browser tools vary greatly by the types of jobs they perform; for example, some of them help to diagnose issues with CSS, HTML and JavaScript, while others evaluate the accessibility of a website.

HTML: HTML stands for . It is a markup language and used to write web pages. Some advantages of HTML are it is easy to use, it has loose syntax, it is widely used and supported on almost every browser, it is very similar to XML syntax, it is free, it is easy to learn and code. Some disadvantages are sometimes the structure is hard to use, it cannot produce dynamic output, you have to keep up with formatted tags, it has very limited styling capabilities and security features offered by HTML is limited.

HTML5: HTML5 is new version of HTML. Many of browsers like , Safari, Firefox, and Opera and many browsers support for HTML5. The main features of HTML5 are its web forms, server-sent events, audio and video, geolocation, , , canvas, new semantic elements, , etc. Some main advantages of HTML5 are it allows to embed video, audio, drawings, charts and animation of high quality without any plugins, it allows to use more cleaner and neater code, it helps to use good semantics and forms, it has improved accessibility and consistency, it has fulfil the need of , it supports offline application cache, support geolocation and side database.

XML: XML files are text files managed by any text editor. It is very simple, extensible and has less than 10 syntax rules. Some advantages of XML are it is easy as HTML, it is compatible with applications, it can be used on large networks with multiple platforms like the internet, you can create your own tags, it is a platform independent language, it is also vendor independent and system independent, its data is stored in format, it supports , it can represent common computer science data structures: records, lists and trees, it enhances searchability and it can be updated incrementally

1.6 Conclusion

The various types of browsers allow users to access internet through different types of websites. IPv6 is important protocol which helps to connect and exchange information between two devices. The various types of authentication helps to increase security and HTML, HTML5 and XML are main browser web development tools.

12

CHAPTER 2 : Analysis and Comparison of Desktop Browsers

In this chapter firstly we present definition of mobile browser and desktop browser and the common interfaces elements in various browsers. Then it shows a wide variety of browsers available and some of their special features and then a comparative analysis of some common web browsers. Then it shows us which browser is best when tested against socially engineered . Lastly, we have a look on present usage and future trend of browsers. 2.1 Desktop browser and Mobile browser

According to current statistics we can see that the trend of mobile internet is growing tremendously over desktop internet. In 2013, more tablets and smart phones were sold than PC’s. A web browser is a software application for accessing information on World Wide Web by Uniform Resource Locator (URL). The major web browsers are Google Chrome, Mozilla Firefox, Apple Safari, Opera and Internet Explorer. All web browsers allow the user to open multiple information resources at the same time, either in different browser windows or in different tabs of the same window. Some browsers also include pop-up blockers and add- ons. Most browsers include essentials features like bookmarks, plug-ins, history, effects, etc.

Most web browsers have some user interface elements in common:

 A refresh or reload button to reload the current page again.  A back button to move back to previous page.  A forward button to move to forward page.  A home button to go to home page.  A search engine tool bar.  A stop button to cancel the reloading page.  An to enter the desired uniform resource locator.  The viewport i.e. the visible area in which page loads.  The ability to view HTML .  History button so that we can see all history and can delete it.

A mobile browser called a minibrowser, microbrowser or wireless Internet browser (WIB), is a web browser designed for and tablets. They are specially designed so as to display for small screens. Mobile browser software must be small and efficient to accommodate the low memory capacity. Some common mobile browsers are Google Chrome, iris, Mozilla Firefox, kindle, Apple Safari, Opera, Internet Explorer, Maxthon, Blackberry, UC browser, etc.

13

Table : Various mobile browsers

Browser Release Latest Version Creator URL Year

Internet Nov,1996 Windows Microsoft http://microsoft.com/ie Explorer phone 8.1 Mobile

Mozilla Jan,2010 30.0 Mozilla http://www.mozilla.com/mobile/ Firefox

Google Sep,2008 35.0.1916.141 Google http://www.google.com/chrome Chrome

Safari Jan,2003 7.0.5 Apple http://apple.com/safari

Iris 2008 1.1.9 Mobile http://www.torchmobile.com/

Opera 2000 20 Opera http://www.opera.com/mobile mobile

Dolphin 2011 11.1.3 MoboTap http://dolphin-browser.com/

Blazer 2000 4.5 Palm http://download-blazer.soft112.com/

Polaris 2002 7.2 Infraware Inc. http://www.infraware.co.kr/

Skyfire 2010 4.1.0 http://www.skyfire.com/

UC 2004 9.8 UCWeb http://www.ucweb.com/ browser

Maxthon 2003 4.4.1.200 Maxthon http://www.maxthon.com/

NetFront 1995 4.3 Access Co. http://gl.access- company.com/products/browser/

2.2 Analysis of various desktop browsers

A wide range of browsers are available in the market with some special features. Some of them are listed below:

Internet Explorer

In 1999 to 2003-04, its usage share was around 95%. Its current version is 11.0.9 released in June 10, 2014. Some important features are that it has regular Microsoft updates that IE supports. It allows an image to be used as and supports Integrated Windows Authentication. Its URL link is http://microsoft.com/ie

14

Mozilla Firefox

It allows users to access the code since it is open source software. Its current version is 30.0 released in June 10, 2014. It allows to open multiple sites in single window i.e. it supports tabbed browsing. Restore session is an important feature since it allows to access again open tabs after closing the window. Its URL link is http://mozilla.org/firefox Safari

Its current version is 7.0.5 released in June 30, 2014. It has many features like VoiceOver screen reader, that reads text and web written on screen, CSS Canvas, XML 1.0, LiveConnect, JavaScript support, Cover , Grammer Checking and corrections and also resizable web search box option. Its URL link is http://apple.com/safari Opera

Its current version is 22.0.1471.70 released in June 18, 2014. It’s important features are zoom, fit-to-width, tabs, content blocking, sessions, mouse gestures and download manager. Its URL link is http://www.opera.com/

Google Chrome

Its current version is 35.0.1916.153 released in June 10, 2014. The main feature is that it suggests and warning while surfing on a site and also availability of user tracking option. Its URL link is http://www.google.com/chrome

Netscape Navigator It is compatible on almost every . Its current version is 8.1.3. It has an email and news client messenger and also allows commercial sites to publish articles and for accessing they charge user. Its URL link is http://www.netscape.ca/ns/browsers/7/download/ Lynx

Its current version is 2.8.8 released in March 9, 2014. It can be remotely accessed over SSH (Secure Shell network protocol) and Telnet which allows Lynx to test a website performance from any geographical location. It has a wide variety of text-to-speech interface. Its URL link is http://lynx.isc.org/ OmniWeb

It was developed by Omni Group in 1995. Its current version is 5.11.2 released in July 23, 2012. It is a . It offers us a workspace where we can store our personal browsing history and allows us to share with others if we wish. It has features which block images from restricted sites. Its URL link is http://www.omnigroup.com/more

Voyager

It was developed by VaporWare in 2000. Some features are HTML 3.2, HTML 4, Flash, SSL, etc. Its URL link is http://www.vapor.com/voyager/

15

Konqueror

Its current version is 4.13.1 released in May 13, 2014. It supports SFTP, FTP, HTTP, SAMBA, IMAP and others. It customizes the search and passwords and usernames are already stored for future use. It will automatically block the ads and pop-ups. Its URL link is http://www.konqueror.org/ iCab

It was developed by Alexander Clauss in 1999. Its current version is 5.2 released in June 3, 2014. It works on Mac OSX. It has filter manager and HTML validity checker. It supports multiple languages. If one bookmarks a site and there is update on it then it will automatically update it. Its URL link is http://icab.de/ Web

It was developed by GNOME Web Browser Developers in 2003 especially for GNOME desktop. Its current version is 3.12.2 released in May 20, 2014. It supports Linux, BSD and Mac OS X. It supports HTML5 plus XHTML, Ad Blocker, Gestures, etc.

Maxthon

Its current version is 4.4.1.200 for windows released in June 12, 2014. It supports pop-ups, block ads, , ActiveX blocker, customizable skins. Its URL link is http://www.maxthon.com/

Camino It was developed by Apple Inc. in 2002. Its current version is 2.1.2 released in 2012. It is free and open source software. It is multilingual and supports HTML5. It also supports ad and pop-up blocker and Cocoa API. Its URL link is http://caminobrowser.org/

It was developed by Avant Force in 2004. Its current version is 2014 build 7 released in June 25, 2014. It is free browser and available in 41 languages. It supports full screen mode, 21 skin options available, content blocking and automatic page refresh. Its URL link is http://www.avantbrowser.com/

Netsurf

It was developed by The NetSurf Developers in 2002. Its current version is 3.1 released in April 26, 2014. It has its own layout engine and third party ports as well. Its URL link is http://www.netsurf-browser.org/ xombrero

It was developed by Marco Peereboom in 2012 with no ad blocking feature. . Its current version is 1.6.3 released in July 11, 2013. It supports Windows and Unix. Its URL link is ://opensource.conformal.com/wiki/xombrero.

16

Now lets consider 9 common browsers i.e. Google Chrome, Internet Explorer, Konqueror, Lynx, Mozilla Firefox, , Opera, Safari and Maxthon. We present a comparative analysis based on some essential features i.e. their creator, initial release, operating system they support, browser features, accessibility features, web and mobile web technology they support, various plugins, JavaScript, protocols and image format they support which is given in table 2.2 below:

Table 2.2: Analysis of some common browsers

Google Internet Konquer Mozilla Netscape Maxth Browser Chrome Explorer or Lynx Firefox Navigator Opera Safari on Microso Maxth Creator Google ft KDE Grobe Mozilla Netscape Opera Apple on FOSS Some No Yes Yes No No Some No

Cost Free Free Free Free Free Free Free Free Free Current layout KHTML, Custo Webki engine Trident Webkit m Gecko Custom Blink t Blink Initial Sep, Aug, Oct, Nov, Dec, Jan,20 release 2008 1995 2000 1992 2004 1994 1994 03 2003 Operating System  Dropp Windows Yes Yes Partial Yes Yes Yes Yes ed Yes OSX Yes No Yes Yes Yes Yes Yes Yes Yes LINUX No No Yes Yes Yes Yes Yes No Yes BSD No No Yes Yes Yes Yes Yes No No Other Unix No No Yes Yes Yes Yes Yes No No Browser Features Bookmark Yes Yes Yes Yes Yes Yes Yes Yes Yes Download Yes Yes Yes Yes Yes Yes Yes Yes Yes Password Yes Yes Yes No Yes Yes Yes Yes Yes Form Yes Yes Yes No Yes Yes Yes Yes Yes Spell Yes Yes Yes No Yes Yes Yes Yes Yes Search Engine Yes Yes Yes No Yes Yes Yes Yes Yes Privacy mode Yes Yes No No Yes No Yes Yes Yes Persite security Yes Yes Yes Yes Yes ? Yes Yes Yes

17

Auto updator Yes Yes No No Yes Yes Yes Yes Yes Accessibilit y Tabbed browsing Yes Yes Yes No Yes Yes Yes Yes Yes Pop-up blocking Partial Yes Yes N/A Yes Yes Yes Yes Yes Yes Yes Yes No Yes Yes Yes Yes Yes Ad-filtering No Yes Yes N/A Yes No Yes Yes Yes Page zooming Yes Yes Yes N/A Yes No Yes Yes Yes Full text searching Yes Yes No No Yes No Yes Yes No Content No No No No Yes No Yes No ? Yes Yes Yes No Yes Yes Yes Yes Yes Tabbing Yes Yes Yes No Yes Yes Yes Yes Yes Spatial Yes Yes Yes Yes Yes No Yes Yes Yes Carets Yes Yes Yes No Yes Yes No Yes Yes Bookmarks Yes Yes Yes No Yes Yes Yes No Mouse gesture No No Yes No No No Yes Yes Yes Text-to- speech No Yes Depends No No No Yes Yes No Voice Control No Yes No No Yes No Yes Yes No stacking Disabled No No No No No Yes No No Web Technology

CSS 2.1 Yes Yes Yes No Yes Yes Yes Yes Partial Frames Yes Yes Yes Partial Yes Yes Yes Yes Yes Nav Links No No Yes Yes No ? Yes No ? XSHLT Yes Yes No No Yes Yes Yes Yes Yes XHTML 1.0 Yes Yes Yes No Yes Yes Yes Yes No XHTML 1.1 Yes Yes Yes No Yes Yes Yes Yes No MathML Yes No No No Yes Yes Yes No No Xforms No No No No Yes No No No No Web Forms No No No No Yes No Yes No No

18

2.0

Voice XML No No No No No No Yes No No SMIL No Yes ? No Yes No Yes No Yes VML No Yes No No No No No No Yes CSS presentatio n ? ? ? ? No ? Yes No ? Mobile web tech -HTML ? ? ? No Partial ? Yes ? ? HDML ? ? ? No No No No ? ? I-mode ? ? ? No No No Yes ? ? X-HTML mobile ? No Yes No Partial ? Yes ? ? WML No No No No No No Yes No No WBMP ? ? ? No ? ? Yes ? ? Plugins & syndicated ActiveX No Yes No No No No No No Yes NPAPI Yes No Yes No Yes Yes Yes Yes No Java Yes No No No No No No Yes ? Yes Yes No No Yes No No Partial ? RSS No Yes Yes No Yes No Yes No Yes No Yes Yes No Yes No Yes No Yes Other ? Yes ? No ? ? No ? ? JavaScript Support JavaScript Yes Yes Yes No Yes Yes Yes Yes Yes ECMA Script 3 Yes Yes Yes No Yes Partial Yes Yes Yes DOM 1 Yes Yes Yes No Yes No Yes Yes Partial DOM 2 Yes Yes Yes No Yes No Yes Yes No DOM 3 Partial Partial Partial No Partial No Partial Partial No Xpath Yes Yes No No Yes No Yes Yes Yes DHTML Yes Yes Yes No Yes Yes Yes Yes Yes XML HttpReques Yes Yes Yes No Yes No Yes Yes Yes

19 t

Rich editing Yes Yes No No Yes No Yes Yes Yes Protocol support

HTTP Yes Yes Yes Yes Yes Yes Yes Yes Yes FTP Yes Yes Yes Yes Yes Yes Yes Partial Yes NNTP No No No Yes No Yes Yes No No SSL Yes Yes Yes Yes Yes Yes Yes Yes Yes EV Yes Yes No No Yes No Yes Yes Yes IRC No No No No No No Yes No No Droppe Droppe No d No Yes d Yes No No No IDN Yes Yes Yes No Yes Yes Yes Yes Yes data:URL Yes Partial Yes No Yes Yes Yes Yes No BitTorrent No No Yes No No No Yes No No IPv6 ? Yes Yes Yes Yes ? Yes Yes Yes Proxy Yes Yes Yes Partial Yes ? Yes Yes Yes Image Format Yes/ JPEG Yes Yes Yes No Yes Yes Yes Yes Yes Yes/ JPEG 2000 No No Yes No No No No Yes No Yes/ JPEG XR No Yes No No No No No No No Yes/ GIF Yes Yes Yes No Yes Yes Yes Yes Yes Yes/ PNG Yes Yes Yes No Yes Yes Yes Yes Yes Yes/ Dropp APNG No No No No Yes No ed No No Yes/ MNG No No Yes No No Dropped No No No Yes/ TIFF No Yes Yes No No No No Yes Disable Yes/ SVG Partial Partial Partial No Partial No Partial Partial Partial Yes/ PDF Yes No Yes No Yes No No Yes No 2D Canvas Yes Yes Yes No Yes No Yes Yes Yes XBM Yes Droppe ? Yes/ Droppe Yes Yes Yes No

20

d No d Yes/ BMP Yes Yes Yes No Yes ? Yes Yes Yes

We can see that Lynx, Firefox, Netscape and Opera support all platforms, Chrome, Internet Explorer, Firefox, Maxthon, Opera and Safari are best in browser support. Opera and Safari is best w.r.t accessibility features. Firefox and Opera support maximum no. of web technology support. Only Opera browser support maximum no. of mobile web technology support. Internet Explorer supports maximum no. of plugins whereas Lynx doesn’t support any of them. Lynx doesn’t support any JavaScript whereas Chrome, Explorer, Opera and Safari have maximum JavaScript. Opera and Safari support maximum number of protocols. So, according to features, Opera can be considered as a best browser.

2.3 Best Browser A research test is done in NSS labs on 8 leading browsers including 3 of them i.e. Liebao Browser, 360 Safe Browser and Explorer from , were tested against Security Stack using 657 samples of Socially Engineered Malware (SEM) that were captured over 14 days. The first graph shows average block rate for SEM for these browsers. AVERAGE BLOCK RATE FOR SEM

This shows that Internet Explorer blocked 99.9% of SEM using URL filtering and App Rep whereas Google Chrome blocks 70.7% SEM using URL filtering and download protection. The next graph shows that how much time browser takes to block new SEM.

21

AVERAGE TIME TO BLOCK SEM

This shows that IE requires an average of less than 5 minutes to block new SEM whereas Firefox and Safari take longer than one day on average to block new SEM. This clearly shows that IE is superior to all tested browsers. The next graph is mean block rate of phishing of various browsers. Higher the block rate, the better the browser is. The average phishing URL catch rate for browsers ranged from 90% of Firefox to 94% for Chrome.

MEAN BLOCK RATE FOR PHISHING

2.4 Present usage share and future trend of web browser The usage share of web browsers is the proportion expressed as a percentage, of visitors to a group of websites that use a particular Web browser. Web browser usage share varies from region to region as well as through time. Now let’s see two statistics one from StatCounter and one from W3Counter.

22

USAGE SHARE OF WEB BROWSER

WEB BROWSER MARKET SHARE

Web Browser Version Share Chrome 35 28.00% Safari 7 11.92% Firefox 30 6.57% 6.05%

23

Firefox 29 5.85% 5.49% Android 4 4.05% 3.68% 2.30% Safari 6 2.13%

All web browsers like Internet Explorer, Firefox and Chrome effectively do the same thing except that Chrome and Firefox are both open source project so that anyone can edit them and add some special features like plugins and add-ons. Now in coming days and introduction of HTML5 will help us to create more websites and programs to make it accessible on different smartphones and tablets.

2.5 Conclusion

As the time passes on, the development of new features led to development of many browsers. Each has some important characteristics of its own. Chrome is widely used in world but Internet Explorer has maximum average block rate for socially engineered malwares and it takes minimum time to block new SEM w.r.t Google Chrome.

24

CHAPTER 3 : Analysis and Comparison of Mobile Browsers

In this chapter analysis and comparison of various mobile browsers is presented for common mobile browsers excluding that are already discussed in chapter 2 which have same features in mobile browser also. Then, it shows us the various mobile platforms available in market and on what security they based on. The various types of screen resolutions and the common disadvantages of using mobile internet. Lastly, the steps to achieve interoperability and the various mobile protocols available. 3.1 Analysis of various mobile browsers

Now a days, world is tending towards mobile dominated web. 1 out of every 10 costumers are coming to a site using their mobile devices. More in Africa have a mobile phone than access to electricity. We have already discussed some important browsers and their characteristics. Let us analyse some properties of mobile browsers:  Blazer It is developed by Bluelark systems in Nov,2000. The creator of blazer is Palm and it is not free and open source software. It supports Palm OS 3.1 or higher with 8 MB of free memory available. The current layout engine is NetFront. Its version 1.0 support HTML and WAP but it doesn’t support . Its URL link is http://download-blazer.soft112.com/

 Dolphin The creator of dolphin is MoboTap and it is not free and open source software. The current layout engine is Webkit. It supports Adobe Flash Player, tabbed browsing, dolphin sonar, gesture browsing, sync and webzine. Its URL link is http://dolphin.com/

 Iris The creator of iris is torch mobile in 2008 and there are versions which are some free and open source software. The current layout engine is Webkit. It support advanced HTML, CSS, JavaScript, zoom and tap, multiple windows and tab, rotating devices, pop-up blockers, HTTP cache, Netscape plugin API, advanced mobile key navigation, SVG, XPath and XSLT protocols, bookmarks and cookies. Its URL link is http://iris-browser.en.softonic.com/pocketpc

 UC Browser The creator of UC browser is UC mobile in 2004 and current layout engine is U3. It works on Android, iOS, , and . It supports HTML5,

25

webApp, add-ons, download management, data compression, cloud system and sharing. Its URL link is http://ucbrowser.in/

There are various signs by which one can determine whether it is a fake browser or a real browser or you are hacked in a browser. The signs are:

 Fake antivirus messagess

 Unwanted browser toolbars

 Redirected internet searches

 Frequent random pop-ups

 Your friends receive fake from your email account

 Your online passwords suddenly change

 Unexpected software installs

 Your mouse moves between programs and makes correct selections

 Your antimalware software, or Registry Editor is disabled and can’t be restarted

 Your bank account is missing money

 You get calls from stores about nonpayment of shipped goods

3.2 Mobile Platforms and Security Basis

A is an operating system that operates a , tablet, or other mobile device. Mobile operating systems contains features like touchscreen, cellular, GPS mobile navigation, Bluetooth, Wi-Fi, camera, video camera, player, speech recognition, voice recorder and near field communication . There are four major different mobile platforms and all of them have their own security basis. They are:

 Apple’s IOS (iPhone /iPad /iPod) which is a subset of MacOS (Objective-C) which uses NX Stack/Heap Protection. It was developed by Apple in March,2008. The current version is iOS 7.1.2. It is closed source and allows third party applications to be installed. Its URL is https://www.apple.com/ios/  Google’s Android (Smartphone/Tablets) which is based on Java & NDK. It was developed by Google in Nov,2007. The current Android version is 4.4. Android's worldwide market share rose from 1.8% to 17.2%. On 2011, Android reached 52.5% of the global smartphone market share. Its URL is http://www.android.com/

26

’s Symbian which is based on C++ with Enhanced Memory Management. It was developed by Nokia in 1997. Its latest release is Nokia Belle Feature Pack 2 in October 2012. Its URL link is http://symbian.nokia.com/  Microsoft’s which is based on .NET/C++ with GS Enhanced Security. It is closed source. It is developed by Microsoft in Nov, 2008. Its current version is .1 released in June, 2014. Its URL link is http://www.windowsphone.com/

There are various other platforms also available in market. Some of them are :

 Blackberry: It is proprietary and closed source.  Firefox OS : It was developed by Mozilla and open source.  Sailfish OS : It is from Jolla and is open source. Its first device is launches on May 2013.  : It is from Linux Foundation and is open source system.  Touch OS : It is from Ltd and is open source.  LiMo 4 : It is from LiMo Foundation. It is first launches in feb,2011.  : It was developed by Nokia. It is open source project.  Meego : It was developed by Linux Foundation and open source.  Palm OS : It is from Access Co. It is proprietary and closed source. It was launched in jan,2009.  webOS : It was developed by LG and it is proprietary and some are open source. It was introduced in in 2011.

There are various operating systems available to us like windows, android iOS, etc. A statistics shows the current percentage usage of various browsers. USAGE OF VARIOUS OPERATING SYSTEMS Operating Systems Usage 38.70% Windows XP 10.22% iOS 7 10.18% 8.885 Android 4 8.41% Mac OS X 6.78% 3.76% Linux 2.16%

27

Android 1.36% iOS 6 1.09%

3.3 Mobile Screen Resolution

There are a number of names and abbreviations that are used to refer to the dimensions of displays on smartphones and tablets. Early displays were based on the old PC standard of the Video Graphics Array (VGA) resolution. They are VGA 640 x 480, QVGA 320 x 240, HVGA 480 x 320, WVGA 800 x 480, and FWVGA 854 x 480. Q stands for quarter, H for half, W for wide, FW for full wide. XGA resolution displays (1024 x 768) are not common on mobile devices, but many tablet displays make use of WXGA (wide XGA), which is commonly 1280 x 720 or 1280 x 800. Newer high end displays are often based on the 720p (1280 x 720) and 1080p (1920 x 1080) resolutions of HD televisions. Some derivative resolutions are qHD at 960 x 540, and nHD at 640 x 360. Some common mobile screen resolutions are :

• 640 x 480 • 800 x 600 • 1024 x 768 • 1284 x 800 • 1400 x 1050 • 1680 x 1050 • 1000 x 1200 • 1920 x 1200

Some common screen resolution and their market share in June,2014 are listed below:

Screen Resolution Share 1366 x 768 19.51% 1024 x 768 11.13% 1920 x 1080 6.92% 1280 x 800 6.35% 768 x 1024 5.93% 1280 x 1024 4.97% 1440 x 900 4.52%

28

1600 x 900 4.24% 320 x 568 4.01% 320 x 480 2.90%

3.4 Disadvantages of Mobile Internet

Mobile phones have become increasingly sophisticated. Now mobile phones are simply not used for making call. Websites are now working more on optimizing their pages for mobile devices, in view of increasing demand. While mobile devices make things accessible and convenient, they have their own drawbacks, especially when it comes to browsing to internet. One most important advantage is that mobile applications can be quit and restarted at any time, such as when the device receives a call or text message.

 Lack of Security Mobile phones don't offer the same level of privacy as computers. There are some websites which can gather sensitive information stored on mobile phones. Though mobile viruses and malicious software are still uncommon, mobile phones don't have the necessary protection should it happen. Websites adapted for mobile Internet don't carry the same type of and security as of desktop browsers. There are no firewalls and intrusion detection systems to block unwanted traffic.  Incompatibility Some websites with many pages and different scripts may not load successfully on a mobile device. Mobile Internet doesn't support all complex scripts available for Web browsing. Some tools of website developers are incompatible with mobile Internet. When a website is not compatible with mobile browser, the pages may not load successfully or the website may not appear correctly with some images and texts missing.  Small screen size Mobile devices may offer convenience because of its size, but it doesn't offer the best Web browsing experience. Website texts appear a lot smaller than when browsing in computers. Zooming only makes the texts a little bit larger but adds to the inconvenience of having to scroll to view the entire content. Having a small screen size makes it difficult to type and makes it more prone to typographical errors.  Unreliable connectivity Mobile Internet Protocol is still less reliable than the regular Internet protocol. When mobile devices are connected to the Internet, the websites take a long time to load or they won't load at all. Mobile Internet is prone to connection timeouts

29

because it can't contact the website immediately. This is particularly when you're doing mobile banking transactions and the connection times out. You don't know if the transaction has completed successfully or you have to start all over again.  Lack of windows and navigation  More cost and operating system specific

3.5 Mobile Networks and Protocols

Mobile networking evolution has four main stages:

• 1st Generation Wireless (1970s) : It is based on analog technology, it has poor spectral efficiency and has voice only. • 2nd Generation Wireless (1980s) : It is based on analog or digital technology, it has higher spectral efficiency and has voice and limited data. • 3rd Generation Wireless (2000s) : It has better support for wireless data and has mobile internetworking and wireless packet data. • 4th Generation Wireless (future) : It has wireless and mobile multimedia, smart antenna and has spatial division multiple access.

GSM (Global System for Mobile Communication) : GSM uses Short Messaging Service (SMS) and Time Division Multiple Access (TDMA) for voice. This technology is very common in Europe, Asia and Japan. It is an open, digital Technology used for transmitting mobile data and voice services. By roaming we can use our GSM phone number in another GSM network. It aimed to provide International roaming, helps improved spectrum efficiency, high quality speech, low cost mobile sets, helps to provide support for new services and it provides compatibility with Integrated Services Digital Network (ISDN) and also other telephone services. The GSM network helps to authenticate the identity of the subscriber through the use of a challenge-response mechanism. It also ensures subscriber identity confidentiality with the help of the Temporary Mobile Subscriber Identity (TMSI).

GPRS (General Packet Radio System for GSM) : It is the first step towards an end to end wireless communication. It provides packet radio access for Mobile Communications (GSM) and time-division multiple access (TDMA) users. It has some key features are like it makes applications only one click thus removing dial-up process, it is automatically updated and it plays an important role for future 3G systems. The main goals of GPRS are to provide open architecture, to give same infrastructure to different interfaces, helps to provide consistent IP services, integrated infrastructure and telephony. GPRS provide advantages like it gives us higher data rate and provides us a more user-friendly billing.

30

MLP (Mobile Location Protocol) : It is an application-level protocol used for receiving the position of Mobile Stations like mobile phones, wireless devices, etc. Its main features are:

Standard Location Immediate Service (SLIS) Emergency Location Immediate Service (ELIS) Standard Location Reporting Service (SLRS) Emergency Location Reporting Service (ELRS) Triggered Location Reporting Service (TLRS) Historic Location Immediate Service (HLIS)

3.6 Interoperability

Interoperability is the ability of different software applications and information technology systems to communicate, to exchange data and to use the information that has been exchanged. With respect to software, the term interoperability is used to describe the capability of different programs to exchange data via a common set of exchange formats, to read and write the same file formats, and to use the same protocols. The lack of interoperability can be a consequence of a lack of attention to standardization during the design of a program. Software Interoperability is achieved through five interrelated ways:

1. Product testing

This requires that systems formally be tested in a production before they will be finally implemented so as to ensure that they will actually intercommunicate, i.e. they are interoperable.

2. Product engineering

It implements the common standard as defined by the industry/ community partnerships with the specific intention of achieving interoperability with other software implementations.

3. Industry/community partnership

Industry/community partnerships, either domestic or international, sponsor standard workgroups with the purpose to define a common standard that may be used to allow software systems to intercommunicate for a defined purpose.

4. Common technology and IP

31

The use of a common technology or IP may speed up and reduce complexity of interoperability by reducing variability between components from different sets of separately developed software products and thus allowing them to intercommunicate more readily.

5. Standard implementation

Software interoperability requires a common agreement that is normally arrived at via an industrial, national or international standard.

3.7 Future of Mobile Browsers

In 2013, Apple’s Safari was used by 58% of mobile browsers last month; Google’s unbranded Android browser at 20.6%; came in at 11.2%; the “others” (Chrome, Internet Explorer, and various 3rd party browsers) held a combined 10% or so. With Safari’s lead dropping, these 3 mobile browser competitors are excellent examples of 3rd party competitors up that are slowly but surely picking Apple and Google’s slack.

1. UC Web Browser China-based UCWeb has experienced success with over 400 million users, with a growing 100 million non Chinese users. The company has announced that they’re going to put nearly $500 million dollars into the browser’s global expansion, gaming platforms, increased monetization, and cloud advancement to the browser. The Chinese-based company is looking into global expansion, especially in the countries of Brazil, Vietnam, , and Indonesia.

2. Boat Boat is a great example of a solid member of the lower tier in 3rd party web browsers that, though still growing, has the same speed, features, and abilities as a behemoth like Safari, support sleek interface, and simple, customizable themes. However, it lacks in big downloads but it makes up for in features – accurate voice command, speed-dial startup pages, and even a “mini” version of browser.

3. Dolphin The Android-specific is quickly becoming one of the most popular 3rd party browsers on smartphones because of speed, easy user interface, and it’s on a well-established version. Dolphin released a new feature last year called “Dolphin Jetpack,” a feature that makes mobile browsing “stupid fast”.

Though this some common browsers are still thinking of making changes. Some are:

32

Opera Ice

"No buttons; no menus," according to the Opera rep who demand the company's new browser, Ice, on an iPad. Just drag a site onto the Speed Dial -- sort of like a home screen for the browser -- and it becomes an app to tap on. The whole browser works like that, with gestures and swipes replacing the usual . Mozilla Firefox

The Mozilla Marketplace is already open to people running the "Aurora" version of smartphones and tablets, and you can buy apps which will also work on the upcoming Firefox phones.

Google Chrome

Google's open-source Chrome web browser has had its own web called the . Some of the apps there, such as Gmail Offline, even work while you aren't connected to the web.

3.8 Conclusion

The various mobile browsers and their features like platforms and security basis and mobile screen resolution. There are several disadvantages of using mobile internet. Existing browsers like Opera, Chrome and Firefox are trying to build new apps for mobile. UC browser, Dolphin and Boat browser are expected to have bright future in coming time over Google chrome and Apple’s Safari.

33

CHAPTER 4 : Design and Implementation of Browser for secure Mobile Banking

This chapter deals with secure mobile banking, challenges for developing mobile application, risks and measures for secure mobile banking. Then, the various attacks through browsers on online transaction like man in the browser attack, attack through cookies, plug-ins, JavaScript, etc. And how one can we prevent them. Finally, it shows design and implementation of secure mobile browser only for banks including geolocation authentication for secure mobile transactions.

4.1 Secure Mobile Banking

Mobile banking allows the costumer of an institution to conduct banking activities such as receiving account alerts, checking balances or making payment through a smartphone or a tablet. There are three delivery channels of mobile banking:

 Short Message Service (SMS)/ Text messaging  Mobile- enabled Internet browser  Mobile application

In last year 21 % of mobile users have used mobile banking and in coming year 11% of those will switched to mobile banking. By 2015, 50% of all financial institution costumers will be mobile banking costumers. There are several common uses of mobile phones which is observed during the past 12 months it is used for checking account balances and checked their recent transactions, to downloading bank’s mobile banking application, for transferring money between two accounts, to receive a text message alert from bank, to make a bill payment using your bank’s website or application, to locate the closest in network ATM for your bank, to deposit a check to your account and to manage their investments, etc. There are several challenges for building a mobile banking application:

• Handset operability : It is one of biggest for banks to make a mobile banking solution that can work on different types of mobile phone devices. Some devices support Java ME, some WAP browser, SIM Application Toolkit and some support only SMS. • Security : Security of financial transactions and transmission of financial information are most complicated challenges in front of banks. They can increase security by using authentication of device before allowing for transactions, authentication of user ID and password of costumer, encryption of data transferred and stored in device, security of application and offering physical security of device. OTP generation is a good measure adopted by banks to increase security. • Reliability and Scalability : With the increasing demand of mobile banking the banks has to assure its best service that is able to work quick and secure all the 24x7 time.

34

• Personalization : Application has to support different preferred languages, date/time format, amount format, alerts and default transactions. • Application distribution : The application should be able to upgrades and update by itself.

Now a table which shows a list of countries measured as percentage of people who had done mobile banking transactions in three months done by Bain survey :

Country Usage South 47% China 42% Hong Kong 41% Singapore 38% 37% Spain 34% 32% Mexico 30% Australia 27% France 26% United Kingdom 26% Thailand 24% Canada 22% 14%

There are several risks for mobile channel banks. Some are:

 Theft or loss of device.  Phishing attacks(impersonation of an app)  Weak PIN code protection mechanisms.  Reverse engineering by clients.  Data recovery of decommissioned devices.

35

 Possible incompliance with regulatory bodies.  Man-in-the-middle attacks.

Some mobile banking building blocks are:

 Strong

 Profile authentication and transaction authorization

 Application process security

 Disabling of default OS behavior

 Emergency channel communication

 Keep code safe and adhere secure coding practices

 Legal disclaimer for jail-broken devices

 Granular mobile Channel limits Model

 Forced upgrade of mobile banking app

 Security awareness to the end-user

 Secure and enterprise app distribution mechanism

 Total Channel Management

4.2 Browser attacks on banking

There are various functions and features of the web browser used. By enabling some web browser features it may lower security of computer. Attackers use vulnerabilities to steal user information, destroy files, and use a computer to attack other computers. Some specific web browser features and associated risks are briefly described below: ActiveX is a technology used by Microsoft Internet Explorer on systems. ActiveX allows applications or parts of applications to be utilized by the web browser. This gives extra functionality to traditional web browsing, but may also introduce more severe vulnerabilities if not properly implemented. The problem with using ActiveX in a web browser is that it greatly increases the attack , or “attackability” of a system. Installing any Windows application introduces the possibility of new ActiveX controls being installed. Vulnerabilities in ActiveX objects may be exploited via Internet Explorer, even if the object was never designed to be used in a web.

Java is an object-oriented programming language that can be used to develop active content for websites. A , or JVM, is used to execute the Java code, or “” provided by the website. Java usually execute within a “sandbox” where

36 the interaction with the rest of the system is limited. However, various implementations of the JVM contain vulnerabilities that allow an applet to bypass these restrictions. Signed Java applets can also bypass sandbox restrictions, but they generally prompt the user before they can execute.

Plug-ins are applications intended for use in the web browser. Netscape has developed the NPAPI standard for developing plug-ins, but this standard is used by multiple web browsers, including Mozilla Firefox and Safari. Plug-ins are similar to ActiveX controls but cannot be executed outside of a web browser. Adobe Flash is an example of an application that is available as a plug-in. Plug-ins can contain programming flaws such as overflows, or they may contain design flaws such as cross-domain violations, which arises when the same origin policy is not followed. Cookies are files placed on your system to store data for specific websites. A cookie can contain any information that a website is designed to place in it. Cookies may contain information about the sites you visited. Cookies are designed to be readable only by the website that created the cookie. Session cookies are cleared when the browser is closed, and persistent cookies will remain on the computer until the specified expiration date is reached. Cookies can be used to uniquely identify visitors of a website, which some people consider a violation of privacy. If a website uses cookies for authentication, then an attacker may be able to acquire unauthorized access to that site by obtaining the cookie. Pers istent cookies pose a higher risk than session cookies because they remain on the computer longer.

JavaScript, also known as ECMAScript, is a scripting language that is used to make websites more interactive. VBScript is another scripting language that is unique to Microsoft Windows Internet Explorer. VBScript is similar to JavaScript, but it is not as widely used in websites because of limited compatibility with other browsers. The ability to run a scripting language such as JavaScript or VBScript allows authors to add a significant amount of features and interactivity to a web page. The default configuration for most web browsers enables scripting support, which can introduce multiple vulnerabilities, such as the following:  Cross-Site Scripting Cross-Site Scripting, often referred to as XSS, is vulnerability in a website that permits an attacker to leverage the trust relationship that you have with that site.  Cross-Zone and Cross-Domain Vulnerabilities Most web browsers employ security models to prevent script in a website from accessing data in a different domain.  Detection Evasion Anti-virus, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS) generally work by looking for specific patterns in content.

Man in the Browser attacks

Online banking had been a target for cyber-criminals. Nowadays, almost all banks allow their customers to do online transactions. In the initial days, phishing was a very widely used method to obtain banking credentials from unaware banking customers. Other methods included incorporating key-loggers in malware to steal banking credential. Though phishing

37 and key-loggers is still widely in use, banks have become aware of these threats and introduced multi-factor authentication including one-time passwords to threat such attacks. A relatively new attack which defeats such multi-factor authentication is the man-in-the- browser attack. The majority of financial service professionals consider Man In The Browser as the greatest threat to . There is a proxy called that infects a browser by taking advantage of vulnerabilities in browser security to modify web pages, modify transaction content or insert additional transactions. Usually MITB appears in the of BHO ()/Active-X Controls//Add- on/Plugin/ API – Hooking. Man-in-the-browser attack is based on the presence on the victim machine of a proxy malware that infects the user’s browser exploiting its vulnerabilities. The malware is able to modify transaction content or conduct operations for the victims in a completely covert fashion. The malware is usually able to hide its transactions to the client altering the content proposed by the browser. The malware is able to bypass multi-factor authentication, once the bank website authenticates the user that has provided the correct credentials the Trojan horse waits for the transactions to modify its content. The malicious code is also able to provide evidence of the success of the user’s transaction altering the content displayed by the browsers once executed.

The Man In The Browser attack is a very insidious because neither the bank nor the user can detect it, despite a multifactor authentication process, CAPTCHA or other forms of challenge response authentication are implemented. Security experts find that most Internet users (73%) cannot distinguish between real and fake pop up warning messages neither have possibility to distinguish malware crafted content. Malware such as , Carberp, Sinowal and have inbuilt MITB capabilities. Recently a ’s security team identified a new instance of the Ramnit malware that uses the HTML injection to target the digital distribution platform for online gaming . Use of strong passwords, use and enable multi-factor authentication and ensuring SSL certificates which are valid and trusted might not be effective to provide security against MITB because MITB malware can simply wait till user authentication or it can intercept the password from Browser directly.

Some protection ways are:

1. Transaction verification Mobile Trojan man-in-the-mobile (MitMo) can defeat out-of-band (OOB) SMS transaction verification. This overcomes the MitB Trojan by verifying the transaction details, as received by the host (bank), to the user (customer) over a channel other than the browser; for example an automated telephone call, SMS, or a dedicated with graphical cryptogram. OOB transaction verification is ideal for mass market use and requires no additional hardware devices yet enables three-factor authentication (utilising voice biometrics), transaction signing (to non-repudiation level) and transaction verification. The downside is that the OOB transaction verification adds to the level of the end-user's frustration with more and slower steps.

38

2. Man-in-the-mobile

 ZitMo (Zeus-In-The-Mobile) is not a MitB Trojan itself but is suggested for installation on a mobile phone by a Zeus infected computer. By intercepting all incoming SMSes, it defeats SMS-based banking OOB two-factor authentication on Windows Mobile, Android, Symbian and BlackBerry. ZitMo may be detected by Antivirus running on the mobile device.  SpitMo (SpyEye-In-The-Mobile, SPITMO), is similar to ZitMo

3. Web fraud detection

Web Fraud Detection can be implemented at the bank to automatically check for anomalous behaviour patterns in transactions.

4. Antivirus Known Trojans may be detected, blocked and removed by . In a 2009 study, the effectiveness of antivirus against Zeus was 23%. 5. Hardened software

 Secure Web Browser: In this case MitB attacks are avoided as the user executes a hardened browser from their two-factor security device rather than executing the "infected" browser from their own machine.  Browser security software: MitB attacks may be blocked by in-browser security software such as Trusteer Rapport for Microsoft Windows and Mac OS X .  Alternative software: Reducing or eliminating the risk of malware infection by using portable applications or using alternatives to Microsoft Windows like Mac OSX, Linux, or mobile Android, iOS, Chrome OS, Windows Mobile, Symbian etc., and/or browsers Chrome, Opera.

Related Attacks on Browser Security Proxy Trojans Keyloggers are the most primitive form of proxy Trojans, followed by browser-session recorders which capture more data, and lastly MitBs are the most sophisticated type. Man-in-the-middle SSL/PKI etc. may offer protection in a man-in-the-middle attack, but offers no protection in a man-in-the-browser attack.

39

Boy-in-the-browser Malware is used to change the client's routing to perform a classic man- in-the-middle attack. Clickjacking tricks a web browser user into clicking on something different from what the user perceives, by means of malicious code in the webpage.

4.3 Design and Implementation

As you have seen that apart from various browsers available in the market, still the attacks on costumers of online banking increases. A browser with more features is more dangerous for online banking, features like cookies, add-ons, plugins, bookmarks, save history, JavaScript enabled, etc. further add to vulnerabilities. The browser which you are using for making transactions, usually used for surfing whole web so there are large changes of attacking malwares. So, the banks now are developing their own mobile applications which give security to costumers.

Here, I want to show you a design of simple mobile browser which is especially for banks sites i.e. you cannot the whole net. The user-interface elements of mobile browser are:-

• A back button to move back to previous page. • A forward button to move to forward page. • A refresh or reload button to reload the current page again. • Clear History button so that we can delete all history. • The viewport i.e. the visible area in which page loads.

There are total four buttons on this browser namely forward, backward, refresh and clear history button. As you open this browser you can see its home screen titled mobile banking for 3 seconds. Then you can a webview with a default website and four browser buttons and on top of that four buttons for banks namely SBI, ICICI, PNB and HSBC. As now you want to enter into a bank site you can press that button and mobile website of that bank will be loaded on its webview is displaying a toast or a message mentioning like Entering into __ bank. Now this browser set JavaScript to not visible, it doesn’t contain any search engine, nor URL link, nor any cookies, plug-ins and add-ons.

Now you can normally surf your bank site as you are using a browser like Chrome, Firefox, Safari, Opera, etc. You can refresh your page, go back, go forward and clear your history. Once you press clear history button you cannot go back as you deletes all your history. There is no way that you can view your history.

Now we can make our browser more secure by including some type of authentication which helps us to identify person identity in addition to id and password

40

authentication. You can include any biometric authentication like voice authentication, finger scans, iris scans, finger print, face scans, voice recognization, etc. or any type of transaction authentication like IP address, geolocation, computer hardware, time of day, previous user pattern of behaviour, etc.

Here, I have used geolocation authentication. This will display your geographical location whenever you open a browser. It is capable of identifying costumer position without activating GPS also. The positions i.e. latitude and longitude are displayed after converting values to an integer.

User Browser Browser Choose Press Bank bank Default Button mobile Website site site

Move to previous page Press back Browser Press forward Move to forward page Press reload

Website Reload current page Press clear history

Delete all history

The proposed model is:

• You open browser application, a home screen appears

41

• Now after 3 seconds browser appears with displaying default website

• Now, suppose you want to enter to ICICI bank site, so click bank button. As you press button, a toast appears on website.

42

• Finally the bank mobile site is opened and now you can surf this website normally. As you can see browser is displaying the integer of longitude and latitude of Hyderabad.

While surfing the banks mobile site on this browser you will be able to increase security of your transactions as there is no cookies in this browser as cookies can be proved very dangerous as it stores the information about the sites you visited and sometimes you have to manually delete this cookies.

43

Registered user Select mobile banking site

Send phone number Send

and location bank name Default website

Data Server maintain record and matches user Yes No

Continue Exit banking

This browser has set its JavaScript disabled which prevent us from high risks of cross-site scripting, cross-zone and cross-domain vulnerabilities and detection evasion. There is no need of Adobe Flash in this browser need not requires any plug-ins. This has no add-ons also. Banks sites have taken care java applets, browser didn’t support ActiveX which greatly increases the attacks surface. In this browser you can bookmark your page, you cannot see your history and you cannot view the HTML source code of websites. This browser limits you by restricting to other websites as it can surf only default website and banks mobile websites. Banks already have taken several measures against some known malware and phishing attacks. As this overall reduces vulnerabilities so change of man in the browser is less because it appears it in the form of browser helper object/ browser extension/ ActiveX controls/plugins/add-ons. The extra feature to this browser i.e. geolocation authentication helps us to maintain data server of costumers with three identities i.e. costumers phone number, the site in which costumer is visiting and the geographical position of costumers so as to verify person’s authentication. Apart from banks multifactor authentication there is also a security authentication in browser.

4.4 Conclusion

Today, mobile banking is highly insecure due to emergence of new malware like man in browser attacks. Banks are aware of phishing and previously existing malwares and have designed application to cure them. But this new attack is very dangerous for online transactions.

44

CHAPTER 5 : Conclusions and Future Work

Firstly, we discussed about websites, protocols, and web development tools. Then, a comparative analysis of various desktop and mobile browsers available in market, their special features and their present usage share and their future trend. Lastly, we discussed about mobile banking, its security measures and the common attacks on mobile banking through browsers.

Finally, a browser has been developed for bank so as to make secure payments. The browser has been implemented in an android application by taking into account four banks: SBI, ICICI, PNB and HSBC bank. The browser has a default website, whenever a person wants to enter a specific website it displays a toast on default website and it also shows the geolocation of costumer which is making transactions.

The application here takes into account only four banks which have to be extended for all the banks present in the market. The default website should be make to identify a toast and geolocation authentication display by browser and a data server for all registered costumers i.e. the mobile number, the bank site on which the costumer is entering and the geographical location of costumer and every time it matches for secure transactions so as to reduce risks of online banking.

45

References

• Android Programming http://www.tutorialpoint.com/ http://www.developers.android.com/ • Authentication http://www.authenticationworld.com/ • Browser security http://www.us-cert.gov/ https://www.nsslabs.com/ http://www.abc.net.au/ http://www.slideshare.net/ http://www.safenet-inc.com/ http://securityaffairs.co/ http://www.cert.org/ http://www.pcworld.com/ • Present statistics and future scope http://news.yahoo.com/ http://techfruit.com/ http://www.buzzle.com/ http://www.w3counter.com/ • Browser Security Comparative Analysis Report- Socially Engineered Malware, Randy Abrams, Orlando Barrera, Jayendra Pathak, Dipti Ghimire, March 31,2014 • 2013 Browser Security Comparative Analysis: Phishing Protection by, Randy Abrams, Orlando Barrera, Jayendra Pathak, July 26,2013 • Smart Cards, Tokens, Security and Applications, Dr. Keith Mayes University of London, 2008, Pages 115-137 • TCP/IP Tutorial and Technical Overview Book, IBM, Eight Edition, Dec 2006 • • StackOverflow http://www.stackoverflow.com/ • NPTEL http://nptel.ac.in/

46

47