Mobile Friendly or Attacker Friendly?: A Large-scale Security Evaluation of Mobile-first Websites

Tom Van Goethem, Victor Le Pochat, Wouter Joosen

Presented at 2019 ACM Asia Conference on Computer and Communications Security (AsiaCCS 2019)

In the last few years, traffic generated by mobile devices has surpassed desktop visits. In order to provide users with the best browsing experience, many website owners specifically tailor their site to mobile devices. While some websites make use of reactive designs, many others opt to create an entirely new "mobile-first" website, typically hosted on a subdomain of the desktop site. These mobile-first sites provide a unique viewpoint on how organizations handle security: the mobile version of a site is typically developed several years after the desktop site by the same organization. Through a large-scale security analysis on 10,222 domains with both a desktop and mobile-first version, we find several strong indicators that security is generally applied consistently across the different parts of an organization's web estate. Overall, we find relatively few differences between the desktop and mobile versions of a website, both on the adoption and the implementation of security features, indicating that these are applied reactively rather than proactively during the design phase.

Download paper

DOI: 10.1145/3321705.3329855

BibTeX:

@inproceedings{VanGoethem2019MobileFirst,
author = {Van Goethem, Tom and Le Pochat, Victor and Joosen, Wouter},
title = {Mobile Friendly or Attacker Friendly?: A Large-scale Security Evaluation of Mobile-first Websites},
booktitle = {Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security},
series = {AsiaCCS '19},
year = {2019},
isbn = {978-1-4503-6752-3},
location = {Auckland, New Zealand},
pages = {206--213},
numpages = {8},
url = {http://doi.acm.org/10.1145/3321705.3329855},
doi = {10.1145/3321705.3329855},
acmid = {3329855},
publisher = {ACM},
address = {New York, NY, USA},
}