Security Header Fields in HTTP Clients
This highlights a security vulnerability in mobile app communications that could lead to data leaks or code execution, though it is incremental as it focuses on documenting an existing issue rather than proposing a new solution.
The study investigated the adoption of security-relevant HTTP headers in mobile applications by analyzing 9,714 URLs from 3,376 apps, finding that support for these headers is largely absent in major HTTP clients and rarely provided by servers.
HTTP headers are commonly used to establish web communications, and some of them are relevant for security. However, we have only little information about the usage and support of security-relevant headers in mobile applications. We explored the adoption of such headers in mobile app communication by querying 9,714 distinct URLs that were used in 3,376 apps and collected each server's response information. We discovered that support for secure HTTP header fields is absent in all major HTTP clients, and it is barely provided with any server response. Based on these results, we discuss opportunities for improvement particularly to reduce the likelihood of data leaks and arbitrary code execution. We advocate more comprehensive use of existing HTTP headers and timely development of relevant web browser security features in HTTP client libraries.