Security Header Fields in HTTP Clients
Pascal Gadient, Oscar Nierstrasz, Mohammad Ghafari
TL;DR
This study investigates the adoption of security-related HTTP headers in mobile applications, revealing minimal support in current HTTP clients and emphasizing the need for improved security practices to prevent data leaks and code execution risks.
Contribution
It provides the first large-scale analysis of security header support in mobile app HTTP communication, highlighting gaps and proposing enhancements for security.
Findings
Support for security headers is absent in major HTTP clients.
Server responses rarely include security headers.
Improved use of HTTP headers can enhance mobile app security.
Abstract
HTTP headers are commonly used to establish web communications, and some of them are relevant for security. However, we have only little information about the usage and support of security-relevant headers in mobile applications. We explored the adoption of such headers in mobile app communication by querying 9,714 distinct URLs that were used in 3,376 apps and collected each server's response information. We discovered that support for secure HTTP header fields is absent in all major HTTP clients, and it is barely provided with any server response. Based on these results, we discuss opportunities for improvement particularly to reduce the likelihood of data leaks and arbitrary code execution. We advocate more comprehensive use of existing HTTP headers and timely development of relevant web browser security features in HTTP client libraries.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsMobile and Web Applications · Green IT and Sustainability · Advanced Malware Detection Techniques