News Articles

Tuesday, March 30, 2010

The mobile web and your personal information

James Rosewell writes:

The mobile techie community has known about mobile networks and indeed some handsets providing unique information about mobile devices and customers for a long time. Collin Mulliner, a graduate student at the Technische Universitat Berlin, has recently bought the issue to the attention of the public during a talk at the CanSecWest conference in Vancouver.

Information such as IMEI and Mobile Phone Number is passed to web servers accessed by a mobile device or Mobile Network Operator (MNO) proxy server in hidden fields called HTTP Headers. The amount of information, format and ultimately usability of the information varies between MNO and mobile device. Practically, the inconsistency of the information makes it of little practical use to web sites. The apparent random nature of the information provided indicates MNOs haven’t really thought through how they’re configuring their gateways and proxies.

The following table shows the HTTP Header (hidden fields) provided by a mobile request received at thefonecast.com yesterday. Notice the x-up-calling-line-id field that contains the mobile number of the requesting device. (We've removed the mobile number from this example). This particular request was provided via the ZXWAP Gateway from ZTE.

 

Header Field
Value
Connection
Keep-Alive
Via
ZXWAP GateWay,ZTE Technologies
Accept
text/html,text/css,multipart/mixed,application/java-archive, application/java, application/x-java-archive, text/vnd.sun.j2me.app-descriptor, application/vnd.oma.drm.message, application/vnd.oma.drm.content, application/vnd.oma.dd+xml, application/vnd.oma.drm.rights+xml, application/vnd.oma.drm.rights+wbxml, application/x-nokia-widget, */*
Accept-Charset
iso-8859-1, utf-8; q=0.7, *; q=0.7
 
Accept-Encoding
gzip, deflate, x-gzip, identity; q=0.9
 
Accept-Language
en;q=1.0,id;q=0.5,vi;q=0.5
Host
wap.socmobi.com
User-Agent
Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 Samsung/SGH-i450/DBGL3 Profile/MIDP-2.0 Configuration/CLDC-1.1 ) AppleWebKit/413 (KHTML, like Gecko) Safari/413
x-up-calling-line-id
XXXXXXXXXX

The real point is that MNOs are seen to be taking liberties with customers personal information. There are many practical uses to providing this personal information “behind the scenes”. For example:

·    A web site that requests a telephone number can default the telephone number field to the mobile number provided by the mobile network reducing the amount of data the user needs to enter.

·    Multiple interactions can be related to one another without requiring explicit authentication.

On a darker note, once a malicious web site has a mobile number, the text message inbox would become the next target for spam.

Many people will be unhappy with this personal information being provided without consent. MNOs need to establish a clear and consistent policy around the dissemination of such information and ensure customers are in control of the personal information their mobile phone is giving out.

 

Print
Author: The Fonecast
0 Comments
Rate this article:
No rating

Categories: Networks and operators, OpinionNumber of views: 1312

Tags: securityopinioninternet

Leave a comment

Name:
Email:
Comment:
CAPTCHA image
Enter the code shown above in the box below.
Add comment

Name:
Email:
Subject:
Message:
x

Follow thefonecast.com

Twitter @TheFonecast RSS podcast feed
Find us on Facebook Subscribe free via iTunes

Archive Calendar

«June 2017»
MonTueWedThuFriSatSun
2930311234
567891011
12131415161718
19202122232425
262728293012
3456789

Archive

Terms Of Use | Privacy Statement