Nokia: Yes, we decrypt HTTPS - but we don't spy
Nokia has admitted that the Nokia Xpress browser redirects even encrypted HTTPS traffic through Nokia servers – and that the data is temporarily decrypted in the process. Indian security researcher Gaurang Pandya noticed the network traffic on his Nokia Asha phone – which is equipped with the Series 40 user interface – and proceeded to examine the Xpress browser, Opera's "Mini" browser and the browser traffic on an older Nokia device. In a response to Pandya's research, Nokia pointed out that the server decryption is secure.
The Nokia Xpress and Opera Mini browsers are designed to compress data in order to reduce data volumes and save users money. The browsers are particularly effective in areas with low connectivity or little bandwidth. Opera's FAQs explain how Opera Mini encrypts the data and notes that the data traffic is redirected to servers for rendering as compressed images which are sent to the phone. The company freely admits that Opera Mini always uses the proxy. To achieve end-to-end uninterrupted encryption, Opera recommends using the full Opera Mobile web browser.
Nokia's description of the Xpress browser, on the other hand, doesn't mention any encryption at all. Therefore, security researcher Pandya was all the more surprised to discover data traffic continuously going through the Nokia server. After examining the network traffic, the researcher wondered whether Nokia's approach is in conflict with the company's privacy statements.
Nokia responded to Pandya's post by saying that its servers do not store the content of web pages visited by users or any information they enter into them. "When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users’ content, it is done in a secure manner", explained the company, adding that without decryption it would not be possible to accelerate browsing on HTTPS-encrypted web pages, and that the servers are well protected. Therefore, Nokia said that it considers the problem an information policy issue more than a technical issue, and that the Xpress product information will be "checked" and, if necessary, "improved" in view of Pandya's disclosure.
However, Pandya writes that the phenomenon is not restricted to the pre-installed Nokia browser, and that it also affects apps such as the built-in Twitter and email applications which also use the browser. According to the researcher, the Asha smartphone also redirects these types of data traffic through the Nokia server. However, no redirection to Nokia proxies was found on an older Nokia phone (C5-03), said Pandya, neither in connection with the browser nor with any apps.
In an update to his later blog posting, Pandya said he had applied an update to the browser from Nokia and it now appeared to be tunnelling HTTPS over HTTP to the Nokia servers, but it is unclear whether this change has had a positive or negative effect on the security of HTTPS connections.
Correction: An earlier version of this article referred incorrectly to Symbian.