Among the features introduced in Wednesday’s iPhone 3.1 update was an under-the-radar addition to Safari in the form of anti-phishing protections. The new feature takes the form of a Fraud Warning switch under Settings -> Safari; the update enables it by default.
Apple made a brief mention of this feature when it announced iPhone 3.0 last March, but it didn’t materialize when that update surfaced in June. Unfortunately, the implementation in 3.1 may still not be ready for public consumption.
Security firm Intego reports that the anti-phishing feature—which is supposed to display a warning when you visit a site with less-than-honorable intentions towards your personal information— flat out doesn’t work. Security firm Zscaler agreed with that assessment, noting that it’s been unable to get the warning to trigger.
Here’s the thing, though: sometimes it does work. I tested it with a couple of known phishing links and, sure enough, the pictured warning popped up. But in more thorough testing with colleagues involving a number of iPhones and iPod touches in different locations with both cell and Wi-Fi connections, it was determined the feature was badly inconsistent: on some devices the warning popped up, and on others the same site loaded with no obstructions. Sometimes it loaded or didn’t load on the same device. It seems pretty clear that there’s a big scaly bug in the system.
Inconsistent protection is in many ways worse than no protection at all, as it lulls users into thinking that they’re perfectly safe behind a brick wall. Unfortunately, that wall may be a lot more like a bead curtain. (That’s not to say that desktop anti-phishing protections like those built into Safari are perfect, but they do help.)
This isn’t the first weak foray Apple’s made into the security software realm in recent weeks. The company rolled out an anti-malware system in its recently released Mac OS X Snow Leopard, but the system only catches an extremely limited number of known Mac malware.
I won’t solely point the finger at Apple on a lack of mobile anti-phishing protection, though it clearly needs to fix this system. Google has dropped the ball as well—the Mobile version of its site, which loads by default in Safari on the iPhone, doesn’t feature the same protections as its standard desktop version. A link that Google flagged as potentially dangerous on my MacBook received no such treatment on my iPhone and it loaded unimpeded. However, if I scrolled to the bottom of Google’s page and switched to the “Classic” (read: desktop) view, then it was indeed flagged.
The combination of these two features, or lack thereof, means that iPhone users are largely unprotected from phishers. At the moment, the best recourse for iPhone users who are concerned is to vet links by tapping and holding on them to bring up a sheet that displays the true URL. As always, it’s important to practice safe browsing by not visiting suspicious links, especially e-mails that invite you to update your account details.
Apple revealed at its music event this week that there are more than 50 million devices running the iPhone OS—that’s a lot of people browsing the Web on these devices. Both Apple and Google have their work cut out for them if mobile browsing is to be anywhere near as safe as desktop browsing.
Had your own experiences with iPhone 3.1’s new anti-phishing protections? Let us know in the comments below.