14 DAY TRIAL // A feature of Safari on iOS related to screen real estate, can be exploited to spoof the address bar and launch very credible phishing attacks targeting iPhone users.
The default behavior of Safari in iOS is to hide the address bar after a Web page is loaded. This is done in order to provide more screen space for the actual content instead of user interface elements.
However, the browser address bar is a very important security element, which people should see at all times.
Security experts have long advised users to check the location displayed in their browser's address bar before attempting to log into a website in order to avoid falling victim to phishing attacks.
Security researcher Nitesh Dhanjani has demonstrated a proof-of-concept attack, which exploits the Safari address bar hiding feature to trick users into thinking that they are on the Bank of America mobile banking website, when in fact they are not.
In Dhanjani's example, the address bar that normally displays his own domain name is replaced with an image showing bankofamerica.com (with SSL indication).
"I did contact Apple about this issue and they let me know they are aware of the implications but do not know when and how they will address the issue," the researcher writes.
"Since the address bar in Safari occupies considerable real estate, perhaps Apple may consider displaying or scrolling the current domain name right below the universal status bar (i.e. below the carrier and time stamp," he adds.
This would occupy much less space on the screen, but it would give users an indication of where they are at all times when surfing the Web.
A separte issue stems from iOS allowing applications to render Web content directly without opening a separate Safari instance. This is done through a class called UIWebView, which doesn't display the origin of the content.
A user clicking on a shortened URL inside let's say, a Twitter app which uses UIWebView to render it, would have no way of knowing where the content is loaded from and whether it's legitimate or not.
