CenturionStudio.it - Fotolia

Manage Learn to apply best practices and optimize your operations.

Are mobile persistent cookies a threat to enterprise data security?

While cookies can be helpful, mobile persistent cookies can pose a serious threat to users and enterprises. Expert Michael Cobb explains how to mitigate the risk and eliminate the threat.

I'm concerned about persistent cookies and how they may impact enterprise data privacy or be exploited by hackers. Is there a way, either on the network or on client devices, to get rid of them?

The protocol used to request and receive pages from a website is HTTP or HTTPS. These are stateless protocols, so each request and response is independent and unrelated to any previous request. This means without some method of tracking a user's actions on the site, the server has no record of what previous actions the user has taken, such as logging in or adding an item to a shopping cart. To remember stateful information (such as the items in a shopping cart), the server sends a small piece of data called a cookie when the user first visits the site. The user's browser then sends the cookie back with each request so the Web server can check the user's previous activity. Without this stateful information, most sites would not function correctly and could potentially expose sensitive information, by, for example, sending a page containing personal information before a user has authenticated themselves by logging into their account.

session cookies exist only while a user actively navigates a website, and they are deleted when the user exits the site. Persistent cookies are more contentious as they persist even when a user leaves a site. They can be useful; a site can recognize a returning user and sign them into their account automatically or show them personalized information. However, persistent third-party cookies can be used to track and compile long-term records of an individual's browsing activities, which raises privacy concerns. This is why the major browsers provide the option to block third-party cookies and a method of deleting all or selected cookies. A risk assessment will dictate an enterprise's security policy with regard to configuring how browsers handle different types of cookies.

The advertising industry is a big user of persistent cookies as they help profile and target relevant ads to people as they browse the Internet, so circumventing the ability to block their cookies is very tempting. In 2012, mobile carrier O2 was caught adding uniquely identifiable HTTP headers to their customers' outgoing Web traffic. It turns out Verizon Wireless has been doing the same thing by inserting a Unique Identifier Header (UIDH) into the HTTP headers of its cell phone customers' outgoing Web traffic. This allows Verizon's Relevant Mobile Advertising Program and Precision ID marketing service to monitor actions, including which websites are visited and how long a user spends on a site. The big difference with this form of "cookie" is that it can't be deleted, even by a browser add-on or app, as it's added while traffic passes through Verizon's network after it has left the users' phones. Security researcher Kenneth White created a website to help users check whether their devices are sending out these UIDH codes.

At first, Verizon users were able to opt out of its Relevant Mobile Advertising program, but that only prohibited Verizon from selling their data as the UIDH was still added to any Web data sent over the Verizon Wireless LTE, 3G or 4G networks. Although Verizon said it changed user UIDHs frequently, it's unclear how frequently. Plus, it is sent to every website visited. This meant any site, benign or malicious, could potentially track and build a profile using Verizon's UIDH without a user's consent. In April, Verizon updated its policies; if a user opts out of Verizon's marketing program, the UIDH would also be deleted off of their device.

Enterprises whose employees use Verizon Wireless as a provider and feel this potential profiling may be a security risk should consider switching provider. Alternative ways of stopping UIDHs from being inserted in the first place, while using the service of a provider that inserts them, are to only connect to the Internet via a VPN or Wi-Fi network, or to only visit HTTPS websites as SSL encrypts all the header data. None of these solutions are particularly practical, and what's more disturbing about undeletable cookies is that it doesn't look like they're going to disappear anytime soon. AT&T is working on its own Relevant Advertising code insertion program, although it has said it will not insert the UIDH into headers for its users if they opt out of the program. Also, new apps and app updates distributed through Google Play must use Google's AdID (Anonymous identifier for advertising) which aims to give advertisers a richer and more complete user profile. Other vendors and companies will likely follow suit if the programs are successful.

Any form of Web tracking technology needs to be fully understood by organizations and users. Security policies covering surfing, browser settings and work personas will need to be updated, and security awareness sessions should be introduced that cover this new technology to make users aware of the potential privacy issues.

Ask the Expert:
Perplexed about application security? Send Michael Cobb your questions today. (All questions are anonymous.)

Next Steps

Join the conversation: Is Verizon's UIDH a security risk?

Learn the good, the bad and the ugly about cookies.

This was last published in April 2015

Dig Deeper on Web application and API security best practices