Security tips for mobile application developers
Like screenplay writers at Starbucks, SSL is everywhere. You would hope that SSL certificate validation and pinning would be everywhere too. Unfortunately, that’s not yet the case and a lack of SSL certificate validation and pinning weakens the usefulness of a certificate in establishing trust. Pharming unfortunately is also very common and attackers using pharming count on these weaknesses.
What is mobile pharming?
Pharming works by redirecting a user’s web traffic to a fake, malicious website. It does not require tricking a user. It only requires getting a user on a traditional or mobile device to a fake site. For example, instead of my bank resolving to x.x.x.1, my bank now resolves to x.x.x.2 which is really the attacker’s fake bank site made up to look like my bank’s site.
There are some pretty creative ways for pharming to work such as DNS Spoofing also called Cache Poisoning. Jeremy Kirk wrote a piece for Computerworld on pharming attack that leveraged a router flaw: Hackers exploit router flaws in unusual pharming attack. Regardless of the pharming method, once the user connects to the malicious site, the attacker attempts to harvest sensitive information.
What is SSL certificate validation and pinning?
SSL certificate validation helps to ensure that the SSL certificate files that link details about an organization with a cryptographic key are valid. SSL certificate validation helps ensure your app is using an authentic certificate. It can further go on to pin or link a host to a certificate on your app so that a mismatch, such as in the case of a pharming attack, will generate an alert or trigger another action based on how you implement the feature on Appdome.
SSL Certificate validation and pinning can be used together to combat mobile pharming by determining “yes” the certificate is authentic and “yes” the expected host is the host that the app is connected to. If it doesn’t match, the app should alert the user. For a deeper dive on certificates and certificate pinning, check out this video by Marty Burolla on #AskADev.
How to Implement No-code Certificate Validation and Certificate Pinning on Appdome
Appdome’s no-code mobile development and security platform enables developers and security folks to implement their choice of mobile security features (including SSL Certificate Validation and Certificate Pinning and many other features) in any iOS or Android app in minutes, without coding.
When you choose to add certificate validation to your app using Appdome, your app’s SSL certificates are validated to ensure they are authentic every time a user fires up your app. If the certificate validation fails, e.g. because of a fraudulent certificate, the user will be alerted on the mobile device.
In addition, you can also add certificate pinning to any app for additional protection. This is the process of linking a host to a specific certificate or a CA (Certificate Authority). Even if a specific host is whitelisted (which I’ve blogged about previously and you can read here ») pinning helps to ensure that that destination matches the originally pinned certificate your app expects.
In the case of pharming that’s achieved via DNS spoofing, your Appdome-built app will detect the inconsistencies. This is because the pharming site is fake and is not the legitimate site pinned to the certificate. The app will then alert the user. This is also useful for attacks where sessions terminate on a malicious proxy or experience a Man-in-the-Middle attack.
You can implement certificate pinning and validation by themselves or in conjunction with other Appdome security features, such as anti-tampering, encryption, and obfuscation. In summary, with Appdome you can increase the security of your app, build a layered defense in minutes, all within your existing development or security workflows.
Check out our free Developers Guide to Mobile App security to understand why mobile app security is so important, and see how Appdome makes it easy for mobile app developers to secure their apps from the Get-go!
Thanks for reading! This blog is part of Appdome’s Mobile Security Basics category, which is appropriate for readers of any level to increase their Mobile security knowledge.