June 26, 2013

Safe Browsing and Android

Google says that 1 billion people use the Safe Browsing service in Chrome, Firefox and Safari to protect against phishing and malware. "Approximately one billion people use Google Safe Browsing. We help tens of millions of people every week protect themselves from harm by showing warnings to users of Google Chrome, Mozilla Firefox and Apple Safari when they attempt to navigate to websites that would steal their personal information or install software designed to take over their computers."

Unfortunately, almost no Android user is protected by this service. Safe Browsing is not available in the stock Android browser, in Chrome for Android and in the browsers preloaded by the hardware manufacturers. The only place I found Safe Browsing is the data compression feature that's now available in Chrome Beta. "The proxy also implements Safe Browsing for Chrome for Android, by informing the browser when you attempt to visit a known malware or phishing site. This causes a warning interstitial page to be displayed, which you can click through if you wish to visit the site. This allows the list of harmful sites to be continuously updated on the proxy, without incurring the overhead of updating it over the air." Technically speaking, this isn't a browser feature: it's a feature of the data compression proxy and the proxy is disabled by default.


There's a simple way to test if Safe Browsing works: just visit this URL - http://malware.testing.google.test/testing/malware/. If you see a malware warning, then it works. Another example: gumblar.cn (found here).

Apple's Mobile Safari browser for iOS used Google's Safe Browsing service for many years (from iOS 3.1 to iOS 5), but now it seems to have switched to a different provider. I've tested various URLs in iOS 6 and iOS 7 Beta and Safari doesn't show a warning, while the desktop Chrome does.


Update: Firefox for Android added support for Safe Browsing in January. I tested various malware URLs and I didn't see any warning. There's also no setting for enabling/disabling this feature.

{ Thanks, Arpit. }