The Department of Homeland Security’s April 12 alert on VPN app security caught our attention.
In it, the Cybersecurity and Infrastructure Security Agency (CISA) pointed to a Vulnerability Note from Carnegie Mellon’s CERT Coordination Center that stated: “multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files.” And that “if an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.”
The alert affected solutions from Cisco, F5 Networks, Palo Alto Networks, and Pulse Secure.
As SDX Central states, the vulnerable VPN products store the authentication and/or session cookies insecurely in memory and/or log files. This means that through generating cookies — that are stored in plain text — the VPNs give attackers access to applications without having to log in.
A determined hacker trying to access privileged information only needs one compromised device. From there, they access the session cookies and use the VPN connection to gain full network access. Resulting in free access to do whatever damage they intend to do. This includes stealing confidential information, destroying data, installing malicious software, holding an entire network hostage or launching attacks on other entities.
Eliminating the Risks for Mobile Apps
With Appdome’s Mobile Security Suite, customers can eliminate this vulnerability in 30 seconds without coding a thing. Using Appdome’s TOTALData Encryption developers and enterprise app providers can encrypt VPN and other cookies inside the app, sealing this vulnerability once and for all. TOTALData Encryption can protect all mobile app data, including VPN and authentication cookies, no matter where the data is stored inside the Android or iOS app. For example, TOTALData Encryption can encrypt the entire mobile application sandbox. In addition, TOTALData Encryption encrypts any authentication cookies and other user preferences stored in-app preferences and in-app secrets, as well as the strings and resources inside the app, providing protection for all forms of data wherever it is stored.
In addition, every organization that offers VPN access to its employees can use Appdome’s MicroVPN service, to embed VPN capabilities inside the app itself. This eliminates the need for users to install a separate VPN client (thereby also eliminating all the operational complexity and user friction associated with separate mobile VPNs). Appdome customers also gain more flexibility because they can use any VPN vendor of choice – including the affected VPN solutions from Cisco, F5 Networks, Palo Alto Networks, and Pulse Secure. The net result is a seamless, continuous end-to-end security solution for remote access which protects corporate and user data, while simultaneously improving the overall user experience.
Security conscious organizations can also benefit from preventing mobile apps from running on a Jailbroken or Rooted devices, as well as protecting the Android and iOS apps against MiTM attacks. (both of which are common attack vectors hackers leverage to exploit VPN vulnerabilities). In addition, Appdome ONEShield™ provides app-shielding and app-hardening, protecting all mobile apps from debugging, reverse engineering and tampering efforts. TOTALCode Obfuscation protects the logic of the app and the intellectual property of the developer.
Recommendations to Protect Mobile Apps using VPNs
Appdome recommends evaluating mobile VPN architectures, with specific emphasis on how authentication and VPN cookies are stored inside mobile apps. Keep in mind that where and how a mobile app saves and protects VPN and authentication cookies can vary app by app, developer by developer, vendor by vendor, and method by method.
Security conscious organizations looking to maintain, expand or enhance mobile VPN use, should implement a common security framework to protect all authentication and VPN cookies – regardless of the app, developer, or VPN in use. While EMM and other mobile VPN offerings were not named in the advisory, the job of securing VPN and authentication cookies is on the developer. Organizations looking to protect corporate data and users should avoid vendor-specific risks and protect authentication and VPN data inside apps immediately.
To stop hackers from using this VPN vulnerability to harm corporate networks and users, organizations can use Appdome’s TOTALData Encryption and MicroVPN across all Android and iOS apps today – no code or coding required.
To eliminate the mobile VPN vulnerability today, open your Appdome account now.