Mobile MiTM Attacks Explained
Learn How to Prevent Man-in-the-Middle Attacks. No code required. Protect mobile app data-in-transit and ensure safe connections. This KB Article explains how to implement MiTM attack prevention in any mobile app using Appdome.
MiTM Attacks Explained
What is a Man-in-the-Middle (MiTM) attack? MiTM attacks occur when an attacker secretly intercepts a communications session between two parties and takes control over the session. For example, when you login to a mobile banking app and type in your username and password to get authenticated by the bank’s server, the attacker can insert themselves “in the middle” between your app and the bank’s server, where they can intercept and potentially read or alter any information sent between you and the bank. In a MiTM attack, both parties may think they are directly communicating with each other in a private session. But in reality, they are actually communicating with the attacker, who has control over the session.
Why Do Hackers Execute MiTM Attacks?
There are two main goals for MiTM attacks.
- Data Harvesting: MiTM attacks are an easy way for hackers to steal or harvest data ‘in transit’ from the app to the server. Using MiTM attacks (and other forms of network or session hijacking techniques) a malicious attacker can gain access to valuable data, such as usernames, passwords, secrets, API keys and other valuable information. They either monetize this information or use it later in other attacks, such as to infiltrate the ‘backend’ systems or server.
- Malware delivery: Sometimes attackers trick unsuspecting users into downloading malware. For instance, the attacker may pretend to be your bank or your IT department (or some other trusted entity) and ask you to download or update a mobile application – which looks like the real app, but it’s really a fake copy of the real app with malware embedded inside. Once you download the app, the malware activates (usually at some later time so that you don’t suspect it).
MiTM attacks are extremely popular because it can be incredibly hard to tell the difference between an imposter and ‘the real thing’ – even if you are a tech pro. Anyone can fall victim.
How Do Hackers Execute MiTM Attacks?
Attackers use many different methods to initiate MiTM attacks such as session hijacking. Sometimes attackers intercept traffic from unsecured networks or fake Wifi access points. Other times, they modify DNS entries to redirect traffic, or trick users to click on malicious URLs sent via email, SMS, chat sessions in what’s known as a mobile phishing attack.
Hackers often try to hijack sessions at the very beginning of the TLS/SSL handshake, because that gives them the greatest opportunity to control the session. Sometimes the attacker replaces the server’s real certificate with a cryptographically signed fake copy which they present to the app instead. Even if you’re a security expert, it could be tough for users to know the difference.
The remainder of this KB article will explain how to use Appdome to prevent Man-in-the-middle attacks. The article will describe each specific feature of Appdome’s Active MiTM attack prevention solution, along with step by step instructions on how to implement each feature in any iOS or Android app – instantly without coding.
How to prevent MiTM Attacks Using Appdome
Appdome is a no-code mobile security and development platform that allows users to add security features, like RASP, code obfuscation, data encryption and more, as well as mobile threat, mobile fraud, anti-bot and other SDKs and APIs to Android and iOS apps. This KB describes how to use Appdome’s simple ‘click to build’ user interface to quickly and easily build MiTM attack Protection into any mobile app – instantly, no code or coding required.
Using Appdome, there are no development or coding prerequisites. For example, there is no Appdome SDK, libraries, or plug-ins required to implement MiTM attack Prevention in order to prevent connecting to malicious entities.
Overview of Appdome’s MiTM Prevention Resources
You can implement Appdome Active MiTM Prevention to prevent MiTM attacks in any iOS or Android app in minutes. Appdome also protects all apps from malicious proxies, modified or untrusted Certificates, and the reuse of stale sessions. Appdome MiTM attack prevention can be found in the Appdome Mobile Security Suite and under the category – Secure Communication.
Appdome’s technology prevents attackers from gaining control over the session before the TLS handshake completes. When an application initiates a handshake with the server, Appdome’s technology inspects the traffic to validate the integrity and authenticity of certificates, CAs, as well as session state information, and more. This inspection occurs before a would-be attacker can take control over the session or insert an altered certificate as part of the initial handshake. If Appdome detects that any element of the encryption model or session has been modified, the session is automatically dropped and an App Compromise Notification is presented to the user, thus preventing the MiTM attack.
You can also build mobile apps using Appdome’s FIPS-140-2 feature set, in which case all of the cryptographic components, algorithms and communications sessions, etc will use FIPS-140-2 certified components/libraries.
Appdome Active MiTM Attack Prevention Features
Protecting against MiTM attacks and malicious proxies is a critical cyber-defense strategy. Mobile MiTM attacks target the connection between a mobile app and the server it connects to. Hackers use different attack methods to execute MiTM attacks, including attaching proxies to insecure network or wifi connections, exploiting stale session IDs, modifying or redirecting DNS requests, and more.
If the attacker has control over the user’s network, they could try to impersonate the server-side and replace the server certificate with their own fake or malicious certificate.
Appdome will identify and block the malicious certificate during the SSL Handshake. Appdome prevents the attack by validating the authenticity of the SSL certificate used by the destination server and preventing the application from connecting to untrusted, unknown, or malicious destinations, servers, or websites.
In MiTM attacks, it’s common for attackers to proxy traffic through a malicious machine/server/network that they control. For certain protocols (HTTP especially), it may be possible for the attacker to read/modify/steal the content being transmitted, or to conduct ransomware attacks, deposit malware, and much more.
Appdome detects and prevents mobile apps from connecting to malicious proxies. If the mobile device is configured with a proxy server that was configured to send a malicious connection or certificate to the device, Appdome’s technology detects the untrusted certificate and terminates the connection.
Stale sessions can be reclaimed by hackers re-used in their attacks. And many times such reuse of sessions may go unnoticed for months or longer. Appdome detects and prohibits session reuse and reclaimed SessionIDs so that hackers cannot use stale sessions in attacks.
Mobile devices come pre-loaded with an OEM list of trusted CA(s) built-in. However, CA(s) can be installed on the device in malicious ways, or modified by attackers, which makes mobile users vulnerable to MiTM and Phishing attacks.
To combat these threats, Appdome continuously maintains an up-to-date list of publicly trusted CAs (such as Verisign, Go-Daddy and others). When the application creates a trusted session with an SSL server, Appdome checks the connection against an updated and secure list that comes with Appdome. This means that if a certificate was installed on the device but not uploaded via Appdome to the trust store, the CA(s) will not be trusted and the connection will be dropped.
If your application connects to a local enterprise server that uses your company-specific CA certificate (the one which usually needs to be installed on the device in order to authorize the TLS connection), you can pin these certificates to the app/device, and thus eliminate risk of the app connecting to a compromised peer server.
With Appdome Secure Certificate Pinning, certificate validation is performed automatically. Appdome verifies the authenticity of the SSL/TLS certificates received from the server against a predefined set of Certificate Authority (CA) certificates – This first occurs during the initial secure communication exchange (SSL/TLS handshake). The certificate validation process typically proceeds in three steps and typically takes three inputs. The first is the certificate to be validated, the second is any intermediate certificates acquired by the applications, and the third is a store containing the root and intermediate certificates trusted by the application.
You can upload certificates as a file or zip file in any of the following formats: .cer, .crt, .pem, .der, .zip.
This will add your certificate to the list of known and trusted certificates. When Appdome inspects the connection, it validates that the legitimate trusted certificate is being used. If not, the session is dropped.
Appdome also offers “Session Control” options. You can enable these optional settings to increase the security level of various components of the encryption model (for example to increase key strength, specify acceptable cipher suites, enforce TLS versions, and more). Each feature is part of Appdome’s comprehensive MiTM attack prevention. Below is a list of Session Control options available on Appdome (click on the link to learn additional details about each option):
Connections established using a non-approved cipher specification will be regarded as compromised and dropped.
Enforce network connections to conform to TLS 1.2 version or higher.
Enforce network connections to verify ‘basicConstraints’ extension in the certificate chain.
Enforce server certificate signatures to use a Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits.
Enforce server certificate signatures to use Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits.
Enforce server certificate signatures to use at least a SHA256 certificate hashing algorithm.
As covered in RFC 7766, some customers may desire to use TCP instead of UDP for DNS traffic due to the protection it provides against address spoofing and exploitation of DNS in reflection/amplification attacks. Enabling this setting a mobile app will allow DNS requests over TCP to pass undisrupted.
Pin a static client certificate to the built app to authenticate client connections on a MicroVPN gateway.
When an application establishes a connection, some components might alter the IPs that the application sees. The IP Address Visibility option ensures that Appdome reports the actual IP addresses This is important when you are auditing the IP addresses your apps use.
Other Features in Appdome’s Secure Communication Category
This allows the built app to access a specified list of trusted hosts and destinations.
This specifies a secret that will be included in every URL connection request completed by the app. This defined secret can also be verified by a backend in identifying valid apps.
- Secret Text – This is the unique text you’ve defined for your app to use as a secret text.
- Signature Header – Optionally an app builder can specify a name for the signature header.
Read Configuring Appdome Security Alerts for configuration details and more info.
An App Compromise Notification is a configurable message displayed to the user whenever Appdome detects the application may be compromised. You can customize these messages to display any text you wish the user to see before the application exits.
Prerequisites for using Active MiTM Prevention
- Appdome account – IDEAL or higher.
- Appdome-DEV access
- Mobile application (.ipa for iOS, or .apk or .aab for Android)
- Signing credentials (e.g., signing certificates and provisioning profile)
- Private CAs
How to Add Active MiTM Prevention to Any Mobile App using Appdome
Follow these step-by-step instructions to protect mobile applications from Man-in-the-Middle and session hijacking attacks:
Upload a Mobile Application to Your Account
From the “Build” tab, go to the Security menu
- Click Secure Communications to expand the bundle.
- Click on the toggle to enable MiTM Prevention.
- (optional) Fill out the custom message that is displayed in case of a security event.
- MiTM Prevention will be automatically enabled on your app
- Malicious Proxy Detection will be automatically enabled on your app
- Prohibit Stale Sessions option will be automatically enabled on your app
- Trust World Wide Public CAs option will be automatically enabled on your app
- Enable Threat Events to configure this security alert on your app.
- (optional) Enable SecureAPITM to implement Secure Certificate Pinning, which will verify your private server certificates
- Enable Threat Events to configure this security alert on your app.
- Expand the sub-bundle Session Control.
- (optional) Click on the toggle to Enforce Cipher Suites to limit the encryption ciphers that should be allowed for communication.
- (optional) Click on the toggle to Enforce TLS Version to limit allowed connections to newer more secure communication methods.
- (optional) Click on the toggle to Enforce Certificate Roles to verify ‘basicConstraints’ extension in the certificate chain of connections.
- (optional) Click on the toggle to Enforce Strong RSA Signature to enforces leaf and intermediary certificates received from the server to be signed with a Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits.
- (optional) Click on the toggle to Enforce Strong ECC Signature to enforces leaf and intermediary certificates received from the server to be signed with an Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits.
- (optional) Click on the toggle to Enforce SHA256 Digest to enforce server certificate signatures to use at least a SHA256 certificate hashing algorithm.
- (optional) Use IP Address Visibility to ensure that all IP addresses that the application uses to make connections are the real IP addresses of the destination (as explained above).
- (optional) Use Permit DNS over TCP to allow DNS connections requests over TCP (rather than UDP) to pass undisrupted.
- (optional) Click on the toggle to enable Static CA Pinning.
- Enable Threat Events to configure each of the security alerts above on your app.
- (optional) Click on the toggle to add URL whitelist to your app
- (optional) Click on the toggle to enable Threat Events on your app
- Click Build My App
The technology behind Build My App has two major elements – (1) a microservices architecture filled with 1000s of code sets needed for mobile integrations, and (2) an adaptive code generation engine that can recognize the development environment, frameworks and methods in each app and match the application to the relevant code-sets needed to add the requested service to the mobile application in seconds.
Congratulations! When your integration is complete, you will see the notice below. You now have a mobile app fully integrated with Trusted Session for MiTM attack prevention.
What to do After I Build My App?
After you’re finished building your app, there are a few additional steps needed to complete your project.
How Do I Learn More?
If you have any questions, please send them our way at email@example.com or via the chat window on the Appdome platform.
- How to Prevent SSL Cookie Hijacking & Mobile MiTM Attacks
- How to use Secure Certificate Pinning in Android & iOS Apps
Other helpful third-party articles:
- Certificate Pinning and Public Key Pinning Control – OWASP
- MiTM Attacks – OWASP.
- Certificate Validation