In light of the revelation that Nokia decrypts HTTPS data using SSL decryption on its Lumia and Asha devices, I was wondering if other mobile device manufacturers do the same thing, and how great a security threat does it pose? Should organizations reconsider supporting Nokia devices, including its latest Windows Phone 8 line, as part of bring-your-own-device policies?
Ask the expert
Have a question about network security for expert Brad Casey? Send them via email today! (All questions are anonymous.)
To briefly recap, according to an independent researcher, Nokia essentially conducts a "man-in-the-middle" attack on Nokia Browser Web traffic, decrypting it in a way that allows Nokia to access users' unencrypted data. In a nutshell, the Nokia browser diverts all SSL traffic to Nokia-owned proxy servers, where each packet is decrypted, then supposedly re-encrypted and forwarded to its intended destination. Nokia, however, has downplayed the findings, claiming its HTTPS decryption practices are minimally invasive and done only to speed up the loading of Web pages.
As of right now, no other mobile device is known to completely decrypt SSL traffic the way Nokia does. However, if your mobile device uses Opera Mini, a pseudo form of SSL decryption is performed. But this has more to do with the fact that Opera Mini understands Opera Binary Markup Language (OBML) as opposed to HTML, therefore some stripping down of encrypted packets is necessary in order to implement its markup language.
So, what type of security threat does this sort of device-maker-sanctioned man-in-the-middle attack pose? I don't think there's a cut-and-dried answer. From what I understand, Nokia did not fully disclose how it handles SSL traffic in its privacy statement; if this is true, it certainly deserves the criticism and should clarify its privacy statement. Beyond that, the security threat is relative.
I can see why some would take a cynical view of Nokia's response, and I completely understand the tendency to distrust. However, I would argue that anyone who engages in any type of e-commerce has to trust that the people on the server side who are processing credit card information will not act dishonestly. This same type of trust must be extended toward Nokia if your organization decides to allow Nokia devices in the enterprise. The most skeptical among us could perhaps theorize a way in which Nokia's servers would be compromised and hence an attacker could obtain unencrypted enterprise data via Nokia -- but frankly, targeted attackers have easier ways to go after what they want. In short, I wouldn't worry about this one.
This was first published in October 2013