Google Safe Browsing can differ between desktop and mobile. Why?
Google continues to address security issues, but their blacklist service, Google Safe Browsing, doesn’t provide equal protection for desktop and mobile.
We have been watching Google’s latest moves around improving security for users and have seen a lot of positives steps, including progress around reining in Chrome extensions by reducing their power and pushing for users to adopt hardware security keys.
One especially useful tool that has emerged is Google Safe Browsing. It’s a service that protects billions of consumer and enterprise devices against malicious and phishing websites. Google marks sites deemed as unsafe or suspicious with warnings, preventing users from accessing the dangerous sites accidentally through Chrome and other services that use the Safe Browsing API. (Though you can still purposefully gain access if you wish.)
However, we recently learned that the experience for desktop and mobile versions Google Safe Browsing isn’t the same.
What’s the issue with Google Safe Browsing?
Wandera recently published a blog post about how the experience for desktop and mobile users isn’t the same, with mobile users potentially more vulnerable. This discovery interested me, so I reached out to VP of Product Strategy Michael Covington to learn more.
He explained that Wandera learned about the discrepancy while testing suspicious URLs. They would feed URLs into Google Safe Browsing to see if others had found them yet. Michael likened Safe Browsing to a black box: There’s intelligence within, but no one outside of Google knows what’s there, so all you can do is push it a URL and see what pre-existing info Safe Browsing does or doesn’t have.
Wandera wanted to see if their services identified potentially harmful sites first, but noticed that the mobile Chrome browser didn’t always warn users while the desktop version did. Michael said that they tested the two Safe Browsing experiences for about eight months. They used a mixture of zero-day suspicious sites that lacked content or that was hidden, as well as known attack sites on Google Safe Browsing. Michael said there wasn’t any trend in what actually got flagged or didn’t on mobile vs desktop.
A positive aspect that Wandera did see was that sites not previously flagged in Safe Browsing would be after a matter of days. It shows that Google constantly updates Safe Browsing, moving fairly quickly. Unfortunately, this really only affected those on desktops, with the mobile version lagging behind and sometimes never adding some suspicious sites—it was never the other way around.
What does Google say?
Wandera reached out to Google to ask about the difference in user experience. Google provided a somewhat weak response, claiming the differences were due to mobile device limitations:
“(1) Some Safe Browsing implementations have access to a different list of threats compared to the public API. Thus, you may see different results between Chrome and other clients.
(2) The mobile implementation of the browser receives a curated set of threats in the interest of using device bandwidth and memory responsibly.”
Google has to play conservatively
Google has to walk a fine line here with Safe Browsing, making sure they make conservative decisions—what if they mistakenly label a perfectly safe site, effectively drying up site traffic before a correction is made? This also allows mobile threat defense vendors to step in to protect users more—without hurting the sites like Google could.
And, yes, Google’s answer isn’t the most satisfying, but at the same time they are limited by what mobile OSes allow of apps when it comes to consuming memory and other system resources. While I hope Google finds a way to better protect mobile users (it can be more difficult on a mobile device to notice you’re on a potentially harmful URL), it remains to be seen whether users are actually suffering any ill effects.
Safe Browsing transparency
Google released their transparency report in July for Safe Browsing, which provided datasets around the number of phishing and malware sites identified from back in 2016 to March 2019. You can play around with the datasets yourself, but here are some highlights: The transparency report shows that the detection of new malware sites peaked at nearly 77,000 for the week of June 14, 2009 and dropped to a little over 3,000 sites in February 2019. New phishing sites are on the rise, with it being nearly non-existent in 2007, to peaking around 54,000 in February 2016 to staying consistent at around 28,000 every week in 2018,
In addition to being able to review the number of potentially harmful sites, Safe Browsing transparency report also shows how many users received warnings about sites and how long it took webmasters to address issues on their compromised sites. The transparency report also provides a site status page where you can input any URL and it’ll tell you right there if it’s currently safe or not.
