Nokia’s Xpress Browser is the default web browser on the Nokia’s Asha lineup and it’s also an optional download for the Lumia phones, running on Windows Phone. Nokia prides on the capabilities of the web browser to compress data and reduce traffic.
To accomplish this Nokia servers process and compress all data to and from the mobile device. But has it occurred to you that in the process Nokia’s servers are also decrypting the information sent over the allegedly secure HTTPS protocol, which you may have thought no one has access to. Nokia does not refuse that, but claims you shouldn’t worry, as nothing is recorded. But can we trust it?
The Xpress Browser is advanced enough to translate web pages, search for keywords you tap on and even re-format pages into a nice magazine-like reading layout sans distractions. But this amazing piece of software also communicates all your sensitive data to Nokia servers where it’s temporarily decrypted to plain text form, as security researcher Gaurang Pandya has discovered.
“From the tests that were preformed, it is evident that Nokia is performing Man In The Middle Attack for sensitive HTTPS traffic originated from their phone and hence they do have access to clear text information which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature. In short, be it HTTP or HTTPS site when browsed through the phone in subject, Nokia has complete information unencrypted (in clear text format) available to them for them to use or abuse,” – Pandya points out.
Nokia’s statement on the matter is as follows:
“Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them. When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users’ content, it is done in a secure manner. [...] Claims that we would access complete unencrypted information are inaccurate.”
Other competing proxy browser services take a different approach with HTTPS packets. The all popular Opera Mini web browser, for instance, simply routes the packets to their destinations without decrypting them. Amazon’s Silk browser or the Skyfire mobile browser detect those packages and don’t even transfer them though their servers. In contrast, Nokia’s Xpress Browser actually impersonates you and the visited site in a Man In The Middle style.
An update from today (Jan 11) by Gaurang Pandya tells us that Nokia has released a browser update. “[...]They are no more doing Man-In-The-Middle attack on HTTPS traffic, which was originally the issue, and the bad news is the traffic is still flowing through their servers. This time they are tunneling HTTPS traffic over HTTP connection to their server” – he writes.
The fact that unknown servers read my usernames and passwords just so that they can compress them, is enough to send shivers down my spine. What about you? Worried?
Source | Via