Mobile Web Identity Leakage in HTTP Headers

This year has seen some interesting research (Mulliner and xuf) into the way mobile carriers modify users’ HTTP traffic when surfing the web. Unlike most ISPs, which provide you with a direct pipe to the internet (with little or no filtering), mobile phone carriers behave in a much more gateway-like fashion. As such, mobile carrier proxies tend to add information into the headers of HTTP traffic, some of it just for session-tracking, others containing interesting data.

Of all the information added into HTTP headers, by far the most interesting is the inclusion of the user’s handset IMEI (a unique identifier) or mobile telephone number. These are inserted into headers, such as X-Network-info, and is then available to anyone with access to the network traffic. If a website is so inclined, they can log the headers associated with HTTP requests and then use this information to further track and/or advertise to you. If I were so inclined, I could wait for a mobile browser to leak the visitor’s telephone number and give them a call!

Your browsing activities are already very trackable thanks to a number of things including browser fingerprinting, but this issue now makes you potentially personally identifiable – and trackable. Mulliner’s set up a simple Privacy Checker, where you can see what headers your mobile browsing creates.