News Articles

Tuesday, March 30, 2010

The mobile web and your personal information

James Rosewell writes:

The mobile techie community has known about mobile networks and indeed some handsets providing unique information about mobile devices and customers for a long time. Collin Mulliner, a graduate student at the Technische Universitat Berlin, has recently bought the issue to the attention of the public during a talk at the CanSecWest conference in Vancouver.

Information such as IMEI and Mobile Phone Number is passed to web servers accessed by a mobile device or Mobile Network Operator (MNO) proxy server in hidden fields called HTTP Headers. The amount of information, format and ultimately usability of the information varies between MNO and mobile device. Practically, the inconsistency of the information makes it of little practical use to web sites. The apparent random nature of the information provided indicates MNOs haven’t really thought through how they’re configuring their gateways and proxies.

The following table shows the HTTP Header (hidden fields) provided by a mobile request received at thefonecast.com yesterday. Notice the x-up-calling-line-id field that contains the mobile number of the requesting device. (We've removed the mobile number from this example). This particular request was provided via the ZXWAP Gateway from ZTE.

 

Header Field
Value
Connection
Keep-Alive
Via
ZXWAP GateWay,ZTE Technologies
Accept
text/html,text/css,multipart/mixed,application/java-archive, application/java, application/x-java-archive, text/vnd.sun.j2me.app-descriptor, application/vnd.oma.drm.message, application/vnd.oma.drm.content, application/vnd.oma.dd+xml, application/vnd.oma.drm.rights+xml, application/vnd.oma.drm.rights+wbxml, application/x-nokia-widget, */*
Accept-Charset
iso-8859-1, utf-8; q=0.7, *; q=0.7
 
Accept-Encoding
gzip, deflate, x-gzip, identity; q=0.9
 
Accept-Language
en;q=1.0,id;q=0.5,vi;q=0.5
Host
wap.socmobi.com
User-Agent
Mozilla/5.0 (SymbianOS/9.2; U; Series60/3.1 Samsung/SGH-i450/DBGL3 Profile/MIDP-2.0 Configuration/CLDC-1.1 ) AppleWebKit/413 (KHTML, like Gecko) Safari/413
x-up-calling-line-id
XXXXXXXXXX

The real point is that MNOs are seen to be taking liberties with customers personal information. There are many practical uses to providing this personal information “behind the scenes”. For example:

·    A web site that requests a telephone number can default the telephone number field to the mobile number provided by the mobile network reducing the amount of data the user needs to enter.

·    Multiple interactions can be related to one another without requiring explicit authentication.

On a darker note, once a malicious web site has a mobile number, the text message inbox would become the next target for spam.

Many people will be unhappy with this personal information being provided without consent. MNOs need to establish a clear and consistent policy around the dissemination of such information and ensure customers are in control of the personal information their mobile phone is giving out.

 

Print
Author: The Fonecast
0 Comments
Rate this article:
No rating

Categories: Networks and operators, OpinionNumber of views: 12034

Tags: security opinion internet

Leave a comment

This form collects your name, email, IP address and content so that we can keep track of the comments placed on the website. For more info check our Privacy Policy and Terms Of Use where you will get more info on where, how and why we store your data.
Add comment

Follow thefonecast.com

Twitter @TheFonecast RSS podcast feed
Find us on Facebook Subscribe free via iTunes

Archive Calendar

«November 2024»
MonTueWedThuFriSatSun
28293031123
45678910
11121314151617
18192021222324
2526272829301
2345678

Archive

Terms Of Use | Privacy Statement