Nokia Browser Relies on Man-in-the-Middle Tactics to Cut Down on Data Bill
At a time when most service providers embrace HTTPS by default, Finnish mobile phone manufacturer Nokia is doing the exact opposite. According to security researcher Gaurang Pandya, user data sent encrypted through the Nokia Xpress browser is decrypted on the Nokia / OVI servers to be compressed for speed and bandwidth saving purposes.
This means that all HTTPS requests sent by the user to various services (including banking sessions) are decrypted on Nokia servers, processed and optimized, then re-assembled and re-sent to the intended recipient.
“From the tests that were preformed, it is evident that Nokia is performing Man In The Middle Attack for sensitive HTTPS traffic originated from their phone and hence they do have access to clear text information which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature,” Pandya wrote in the announcement.
However, as the mobile phone vendor states, the temporarily-decrypted snippets of data are processed in a secure manner, and are kept out of reach of human operators, including Nokia staffers.
“When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users’ content, it is done in a secure manner,” Nokia said in a statement for The Next Web. “Nokia has implemented appropriate organizational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate.”