The Department of Homeland Security’s April 12 alert on VPN app security caught our attention.
In it, the Cybersecurity and Infrastructure Security Agency (CISA) pointed to a Vulnerability Note from Carnegie Mellon’s CERT Coordination Center that stated: “multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files.” And that “if an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.”
The alert affected solutions from Cisco, F5 Networks, Palo Alto Networks, and Pulse Secure.
As SDX Central states, the vulnerable VPN products store the authentication and/or session cookies insecurely in memory and/or log files. This means that through generating cookies — that are stored in plain text — the VPNs give attackers access to applications without having to log in.
A determined hacker trying to access privileged information only needs one compromised device. From there, they access the session cookies and use the VPN connection to gain full network access. Resulting in free access to do whatever damage they intend to do. Including stealing confidential information, destroying data, holding an entire network hostage or launching a malicious attack.
Eliminating the Risks for Mobile Apps
With Appdome’s Mobile Security Suite, this vulnerability is eliminated in 30 seconds without coding a thing. Using Appdome’s TOTALData Encryption developers and enterprise app providers can encrypt VPN and other cookies inside the app, sealing this vulnerability once and for all. TOTALData Encryption can protect all mobile app data, including VPN and authentication cookies, no matter where the data is stored inside the Android or iOS app. For example, TOTALData Encryption can encrypt the entire mobile application sandbox. In addition, TOTALData Encryption can encrypt any VPN or authentication cookies stored in in-app preferences and in-app secrets, as well as the strings and resources inside the ap. Any place VPN or authentication data is stored in the mobile app, that data is protected.
In addition, every organization that offers VPN access to its employees can use Appdome’s MicroVPN service, which embeds the VPN capability inside the app itself. This eliminates the external vulnerability in separate VPN clients and protects the session and authentication data end-to-end. An added benefit is that users need not run a separate VPN client on their mobile device and can avoid VPN back-end concentrators from affected vendors. The net result is a more secure mobile VPN implementation and better user experience, using any VPN vendor of choice – including the affected VPN solutions from Cisco, F5 Networks, Palo Alto Networks and Pulse Secure.
Security conscious organizations can also benefit from preventing mobile apps from running on a Jailbroken or Rooted devices, as well as protecting the Android and iOS apps against MiTM attacks, two ways (other than stealing the device) hackers use to take advantage of the VPN vulnerability. In addition, Appdome ONEShield™ can fully harden the mobile app from debugging, reversing and tampering efforts. TOTALCode Obfuscation protects the logic of the app and the intellectual property of the developer.
Recommendations to Protect Mobile Apps using VPNs
Appdome recommends evaluating mobile VPN architectures, with specific emphasis on how authentication and VPN cookies are stored inside mobile apps. Keep in mind that where and how a mobile app saves and protects VPN and authentication cookies can vary app by app, developer by developer, vendor by vendor, and method by method.
Security conscious organizations looking to maintain, expand or enhance mobile VPN use, should implement a common security framework to protect all authentication and VPN cookies – regardless of the app, developer, or VPN in use. While EMM and other mobile VPN offerings were not named in the advisory, the job of securing VPN and authentication cookies is on the developer. Organizations looking to protect corporate data and users should avoid vendor-specific risks and protect authentication and VPN data inside apps immediately.
To stop hackers from using this VPN vulnerability to harm corporate networks and users, organizations can use Appdome’s TOTALData Encryption and MicroVPN across all Android and iOS apps today – no code or coding required.
To eliminate the mobile VPN vulnerability today, open your Appdome account now.