Meddling Middlemen: Empirical Analysis of the Risks of Data-Saving Mobile Browsers
Abstract
Mobile browsers have become one of the main
mediators of our online activities. However, as web pages continue
to increase in size and streaming media on-the-go has become
commonplace, mobile data plan constraints remain a significant
concern for users. As a result, data-saving features can be a
differentiating factor when selecting a mobile browser. In this
paper, we present a comprehensive exploration of the security
and privacy threat that data-saving functionality presents to
users. We conduct the first analysis of Android’s data-saving
browser (DSB) ecosystem across multiple dimensions, including
the characteristics of the various browsers’ infrastructure, their
application and protocol-level behavior, and their effect on users’
browsing experience. Our research unequivocally demonstrates
that enabling data-saving functionality in major browsers results
in significant degradation of the user’s security posture by
introducing severe vulnerabilities that are not otherwise present
in the browser during normal operation. In summary, our
experiments show that enabling data savings exposes users to
proxy servers running outdated software, (ii) man-in-the-middle
attacks due to problematic validation of TLS certificates, (iii)
weakened TLS cipher suite selection, (iv) lack of support of
security headers like HSTS, and (v) a higher likelihood of being
labelled as bots. While the discovered issues can be addressed,
we argue that data-saving functionality presents inherent risks
in an increasingly-encrypted Web, and users should be alerted
of the critical savings-vs-security trade-off that they implicitly
accept every time they enable such functionality.