Industry News

Nokia Browser Relies on Man-in-the-Middle Tactics to Cut Down on Data Bill

US Banks Including JPMorgan Hit in Wave of Cyber-attacks

At a time when most service providers embrace HTTPS by default, Finnish mobile phone manufacturer Nokia is doing the exact opposite. According to security researcher Gaurang Pandya, user data sent encrypted through the Nokia Xpress browser is decrypted on the Nokia / OVI servers to be compressed for speed and bandwidth saving purposes.

State-Sponsored Cyber-Espionage up 75 Percent, Says Defense Security Service

This means that all HTTPS requests sent by the user to various services (including banking sessions) are decrypted on Nokia servers, processed and optimized, then re-assembled and re-sent to the intended recipient.

“From the tests that were preformed, it is evident that Nokia is performing Man In The Middle Attack for sensitive HTTPS traffic originated from their phone and hence they do have access to clear text information which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature,” Pandya wrote in the announcement.

However, as the mobile phone vendor states, the temporarily-decrypted snippets of data are processed in a secure manner, and are kept out of reach of human operators, including Nokia staffers.

“When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users’ content, it is done in a secure manner,” Nokia said in a statement for The Next Web. “Nokia has implemented appropriate organizational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate.”

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.