查看文章

As we move into the mobile era, many functionalities in standard web services are being re-implemented in mobile apps and services, including many security-related functionalities. However, it has been observed that security features that are standardized in the PC and web space are often not implemented correctly by app developers resulting in serious security vulnerabilities. For instance, prior work has shown that the standard SSL/TLS certificate validation logic in browsers is not implemented securely in mobile apps. In this paper, we study a related question: given that many web services are offered both via browsers/webpages and mobile apps, are there any discrepancies between the security policies of the two?

To answer the above question, we perform a comprehensive study on 100 popular app-web pairs. Surprisingly, we find many discrepancies – we observe that often the app …