Nokia Xpress browser found to decrypt HTTPS traffic and get all your sensitive information, Nokia says don't worry

Nokia Xpress browser found to decrypt HTTPS traffic and get all your sensitive information, Nokia says don't worry
Nokia takes pride in its Xpress Brower in more affordable feature phones like its Asha devices and it is also used even on Lumia Windows Phones, mostly because it aims to offer faster browsing, but the company has kept a secret the fact that in order to do that the browser actually decrypts HTTPS website requests in what could be a dangerous privacy breach.

Basically, Nokia admitted the Xpress Browser would decrypt all data going through HTTPS connections, after Indian security researcher Gaurang Pandya signaled the alarm that traffic from his Asha Series 40 phone was being routed through Nokia’s servers.

This is done to condense traffic and is similar to what other browsers like Opera Mini do. The benefit is for those with low data allowances who still want to make the most of their megabytes.

What’s troubling however is the particular fact that Nokia gets to see decrypted HTTPS requests and get access to sensitive information.

“From the tests that were preformed, it is evident that Nokia is performing Man In The Middle Attack for sensitive HTTPS traffic originated from their phone and hence they do have access to clear text information which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature.”

Nokia has now replied to the allegations with the following:

“Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them,” the company said. “When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users’ content, it is done in a secure manner.

Nokia has implemented appropriate organizational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate.”

Bottomline is you’d just have to trust Nokia. What is troubling however is the fact that unlike other similar browsers like Opera Mini, the company was up until now secretive about all of this activity happening under the hood.

source: GigaOM

FEATURED VIDEO

18 Comments

1. PhoneArenaUser

Posts: 5498; Member since: Aug 05, 2011

Hackers also says "Don't worry...". :)

2. Awsan

Posts: 7; Member since: Jan 04, 2013

You trust google and facebook everyday with everything but you cant trust nokia for once??

4. PhoneArenaUser

Posts: 5498; Member since: Aug 05, 2011

I don't trust no one of them, nor Nokia, nor Facebook, nor Google.

6. Nathan_ingx

Posts: 4769; Member since: Mar 07, 2012

Yup, i trust none either... Anything can be broken into...

9. wendygarett unregistered

But I trust you Nathan :)

11. Nathan_ingx

Posts: 4769; Member since: Mar 07, 2012

...and you should, i'm not something that is available on the internet :D Thank though...appreciate that.

16. Credo

Posts: 749; Member since: Apr 19, 2012

Hey Wendy did you know that the 6th generation of Pokemon is being announced ?

17. wendygarett unregistered

I do :) isn't it awesome?

3. Nathan_ingx

Posts: 4769; Member since: Mar 07, 2012

I saw the headline and i thought a Lumia Xpressmusic phone was in the rumor mills. Lol, bad eye...

8. eisenbricher

Posts: 973; Member since: Aug 09, 2012

Nokia needs one XpressMusic Lumia phone. Camera and pureview are all good, but Sound output is not that good as used to be on older phones such as N91 and 5800. You are correct about this.

12. Nathan_ingx

Posts: 4769; Member since: Mar 07, 2012

I never gave it a thought until i misread the headline. But i think a Lumia Xpressmusic phone with Pureview goodness should widen the customer base and put Nokia in a good spot.

5. skuld

Posts: 44; Member since: Jan 10, 2013

why not worry?

7. thunderbolt

Posts: 76; Member since: Jan 10, 2013

yea not to worry till card gets compromised ... and then headaches follow.

10. muhsen

Posts: 281; Member since: Jun 07, 2012

its funny, that this was only made big deal in the case of nokia xpress browser , while all this is actually the same with opera mini and uc browser. all compressing browsers whatever they r use decryption of all data going through HTTPS connections and no one seems to complain about opera mini or uc browser. btw ,about "What is troubling however is the fact that unlike other similar browsers like Opera Mini, the company was up until now secretive about all of this activity happening under the hood. " , nokia didn't say about it because they don't need to since nokia xpress browser is a compressing browser so it will use the same techniques as any compressing browser like opera mini and uc browser so it will use decryption HTTPS. and frankly, neither opera nor uc spoke about that in opera mini and uc browser so no point of the big deal. besides if nokia(or samsung or apple) wants to steal ur data, i think they have all the means to steal it as they manufacture phones. no point of this article!!! next please!

13. dexter_jdr

Posts: 1163; Member since: Jun 28, 2012

CLAP-CLAP.

14. PhoneArenaUser

Posts: 5498; Member since: Aug 05, 2011

True data. +1

15. roscuthiii

Posts: 2383; Member since: Jul 18, 2010

...but I always worry when somebody says, "Don't worry." It's like when I walk in a bank and say, "Nobody move." They always move. :-\

18. sonofzeus

Posts: 95; Member since: Jul 05, 2012

The issue is not about trusting nokia, now the hackers know where to hack to get all the personal info at one stop

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.