News Articles

Tuesday, March 30, 2010

The mobile web and your personal information

James Rosewell writes:

The mobile techie community has known about mobile networks and indeed some handsets providing unique information about mobile devices and customers for a long time. Collin Mulliner, a graduate student at the Technische Universitat Berlin, has recently bought the issue to the attention of the public during a talk at the CanSecWest conference in Vancouver.

Information such as IMEI and Mobile Phone Number is passed to web servers accessed by a mobile device or Mobile Network Operator (MNO) proxy server in hidden fields called HTTP Headers. The amount of information, format and ultimately usability of the information varies between MNO and mobile device. Practically, the inconsistency of the information makes it of little practical use to web sites. The apparent random nature of the information provided indicates MNOs haven’t really thought through how they’re configuring their gateways and proxies.

The following table shows the HTTP Header (hidden fields) provided by a mobile request received at thefonecast.com yesterday. Notice the x-up-calling-line-id field that contains the mobile number of the requesting device. (We've removed the mobile number from this example). This particular request was provided via the ZXWAP Gateway from ZTE.

 

Header Field
Value
Connection
Keep-Alive
Via
ZXWAP GateWay,ZTE Technologies
Accept
text/html,text/css,multipart/mixed,application/java-archive, application/java, application/x-java-archive, text/vnd.sun.j2me.app-descriptor, application/vnd.oma.drm.message, application/vnd.oma.drm.content, application/vnd.oma.dd+xml, application/vnd.oma.drm.rights+xml, application/vnd.oma.drm.rights+wbxml, application/x-nokia-widget, */*
Accept-Charset
iso-8859-1, utf-8; q=0.7, *; q=0.7
 
Accept-Encoding
gzip, deflate, x-gzip, identity; q=0.9
 
Accept-Language
en;q=1.0,id;q=0.5,vi;q=0.5
Host
wap.socmobi.com
User-Agent
Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 Samsung/SGH-i450/DBGL3 Profile/MIDP-2.0 Configuration/CLDC-1.1 ) AppleWebKit/413 (KHTML, like Gecko) Safari/413
x-up-calling-line-id
XXXXXXXXXX

The real point is that MNOs are seen to be taking liberties with customers personal information. There are many practical uses to providing this personal information “behind the scenes”. For example:

·    A web site that requests a telephone number can default the telephone number field to the mobile number provided by the mobile network reducing the amount of data the user needs to enter.

·    Multiple interactions can be related to one another without requiring explicit authentication.

On a darker note, once a malicious web site has a mobile number, the text message inbox would become the next target for spam.

Many people will be unhappy with this personal information being provided without consent. MNOs need to establish a clear and consistent policy around the dissemination of such information and ensure customers are in control of the personal information their mobile phone is giving out.

 

Print
Author: The Fonecast
0 Comments
Rate this article:
No rating

Categories: Networks and operators, OpinionNumber of views: 1531

Tags: security opinion internet

Leave a comment

Name:
Email:
Comment:
Add comment

Name:
Email:
Subject:
Message:
x

Follow thefonecast.com

Twitter @TheFonecast RSS podcast feed
Find us on Facebook Subscribe free via iTunes

Archive Calendar

«November 2017»
MonTueWedThuFriSatSun
303112345
6789101112
13141516171819
20212223242526
27282930123
45678910

Archive

Terms Of Use | Privacy Statement