We wrote below about the security features in Apple’s latest update to the iPhone and iPod touch operating system.
Another addition to this update, which Apple hasn’t mentioned, is an anti-phishing feature for mobile Safari. Similar to that used by the desktop Safari, this feature should warn users that they may be visiting a known malicious web site and asks if they wish to continue. However, we have extensively tested this feature, tossing dozens of phishing URLs at it, and it simply does not seem to work. URLs that are blocked by Safari in Mac OS X open and direct users to malicious pages. For example, here’s one bogus PayPal page that was blocked in Safari on Mac OS X, but which displays just fine on the iPhone:
We find it interesting that Apple has added this feature, but we’re confused as to why it simply does not work. Is there something wrong with the way Safari gets information about malicious web sites? (On Mac OS X, this uses Google’s Safe Browsing feature.) The feature is enabled by default (Settings > Safari > Security > Fraud Warning.)
We’ll be investigating this, and if we find out more we’ll report it here.
Follow-up: we’ve had a number of people test this, and some people get warnings for sites that others can load just fine. We’ve tried isolating locations, iPhone/iPod touch models, and whether they are connecting over a cell network or via wifi, but all we’ve come up with is that sometimes it works and sometimes it doesn’t. This is clearly more dangerous than no protection at all, because if users think they are protected, they are less careful about which links they click.