HTTP headers are commonly used to establish web communications, and some of them are relevant for security. However, we have only little information about the usage and support of security-relevant headers in mobile applications. We explored the adoption of such headers in mobile app communication by querying 9,714 distinct URLs that were used in 3,376 apps and collected each server's response information. We discovered that support for secure HTTP header fields is absent in all major HTTP clients, and it is barely provided with any server response. Based on these results, we discuss opportunities for improvement particularly to reduce the likelihood of data leaks and arbitrary code execution. We advocate more comprehensive use of existing HTTP headers and timely development of relevant web browser security features in HTTP client libraries.
翻译:HTTP信头通常用于建立网络通信,其中一些信头用于安全。然而,我们几乎没有关于移动应用程序中使用和支持安全信头的信息。我们通过查询3 376个应用程序中使用的9 714个不同的URL并收集每个服务器的反应信息,探索了移动应用程序通信中采用这种信头的情况。我们发现,所有主要的 HTTP客户都缺乏对安全 HTTP信头字段的支持,而且几乎没有任何服务器回应。基于这些结果,我们讨论了改进的机会,特别是减少数据泄漏和任意代码执行的可能性。我们主张更全面地使用现有的 HTTP信头,并及时开发HTTP客户图书馆的相关浏览器安全功能。