The fast-loading default browser used on most Nokia mobile handsets, including its ‘Asha’ range, appears to be a double-edged sword.
While the ‘Xpress’ browser is quick and used on resource-constrained devices that cannot run a full-fledged web browser, it appears that it decrypts data that flows through its ‘HTTPS’ connections – giving the company the ability to peep at connections set up for banking session, encrypted email and the like.
“From the tests that were performed, it is evident that Nokia is performing a ‘man in the middle attack’ for sensitive HTTPS traffic originating from their phone – and, hence, they have access to information which could include user credentials to various sites such as banking and social networking,” said Gaurav Pandya, a security analyst at Unisys Global Services India.
Nokia, in a statement, however has rejected claims that it might be spying on its user’s encrypted Internet traffic but admitted that it temporarily decrypts secure HTTPS connections for the benefit of customers.
“The compression that occurs within the browser means that users can get faster web browsing. When temporary decryption of HTTPS connections is required by our proxy servers, it is done in a secure manner. Claims that we would access complete unencrypted information are inaccurate,” a company spokesperson said.
