Global AppSec Amsterdam

In the last few years, traffic generated by mobile devices has surpassed desktop visits. In order to provide users with the best browsing experience, many website owners specifically tailor their site to mobile devices. While some websites make use of reactive designs, many others opt to create an entirely new "mobile-first" website, typically hosted on a different subdomain than the desktop site. These mobile-first sites provide a unique viewpoint on how organizations handle security: the mobile version of a site is typically developed several years after the desktop site by the same organization. Through a large-scale security analysis on 10,222 domains with both a desktop and mobile-first version, we find several strong indicators that security is generally applied consistently across the different parts of an organization's web estate. Overall, we find relatively few differences between the desktop and mobile versions of a website, both on the adoption and the implementation of security features, indicating that these are applied reactively rather than proactively during the design phase. Nevertheless, we discover that desktop users are unnecessarily facing threats from the mobile website, whereas mobile users are less exposed to vulnerabilities in the desktop site.