by Brian Contos, AppDome VP of Customer Engagement and IDG Contributor
Mobile devices are vulnerable to MiTM attacks too. In particular, mobile apps are vulnerable to MiTM attacks.
Man in the middle attacks (MiTM) are a popular method for hackers to get between a sender and a receiver. MiTM attacks, which are a form of session hijacking are not new. However, what might not be known is that mobile devices are vulnerable to MiTM attacks too. In particular, mobile apps are vulnerable to MiTM attacks.
As part of a series on mobile security I’ve written about other mobile-based attacks here:
Man in the middle attacks
OWASP has one of the simplest and best definitions of a MiTM attack. “The man-in-the middle attack intercepts a communication between two systems.” You might also hear this referenced as a malicious proxy. Edward J. Zaborowski gave a presentation on this topic at DEF CON titled: Malicious Proxies.
A proxy by design simply intercepts a request from a sender to a receiver.
- On behalf of the sender the proxy makes a request to the receiver.
- The proxy receives a response from the receiver.
- Finally, the proxy delivers that information to the sender.
A malicious proxy works the same way. It can intercept, send, receive and modify data without the sender or receiver knowing it’s happening. MiTM, malicious proxies operate similarly with mobile attacks.
MiTM and mobile apps
The exact same vulnerabilities that lead to MiTM attacks on traditional devices apply to mobile devices. The cause is generally associated with incorrect certificate validation and leveraging protocols that are not secure such as various flavors of SSL and early versions of TLS.
For mobile apps to thwart these types of attacks it’s important to look at how the mobile app preforms authentication. Leveraging certificate pinning within the mobile app for example helps ensure that the mobile app is communicating with the device it is expecting to communicate with.
On the mobile device, within the mobile app, certificate pinning links the certificate to the destination’s hostname to create trust. This is generally done when the app is developed at a time when the pinning relationship is known to be valid. There is little reason to do this later when a malicious proxy is already in place.
It’s important to have pinning between the certificate and the server’s hostname and validation that the certificate is from a valid root authority. All of these controls can and should be built directly into the mobile app. Even with other controls in place like whitelisting, certificate pinning is needed to thwart MiTM attacks. For additional information on certificate and public key pinning check out OWASP.