Security tips for mobile application developers to Prevent Mobile Phishing
SSL/TLS is everywhere. You would hope that SSL certificate validation and pinning would be everywhere too. Unfortunately, that’s not yet the case and a lack of SSL certificate validation and pinning weakens the usefulness of a certificate in establishing trust. Phishing & Pharming unfortunately is also very common and attackers using phishing count on these weaknesses.
What is Mobile Phishing?
Mobile Phishing is a cybercrime in which an attacker impersonates a legitimate/trusted institution and uses social engineering techniques to trick users into doing what the hacker wants. The goal of phishing is usually either to trick mobile users into providing sensitive information (e.g. PII, username/password, SS #, banking details, credit card info, etc) or to download/install malware (for example using a fake app, or clone, or malware embedded inside a legitimate app). There are many many different forms and variants of phishing, such as spearphishing (high-value targets, usually execs), vishing (voicemail based), smishing (SMS based), and much more. Phishing is one of the most versatile and reliable attack methods hackers have in their toolbox, and it’s often used as a key ingredient in ‘blended attacks’ (such as MitM attacks, ransomware, malware/trojan propagation, session hijacking, etc). You can think of phishing as a ‘swiss-army-knife’ of cybercrime, except that phishing actually works! Regardless of the method, once the user connects to the malicious site, the attacker attempts to harvest sensitive information or trick the user into other activities, such as downloading a trojan or other form of mobile malware.
Pharming is a variant of phishing in which the mobile user’s session is redirected to a fake, malicious website. For example, instead of my bank resolving to x.x.x.1, my bank now resolves to x.x.x.2 which is really the attacker’s fake bank site made up to look like my bank’s site.
There are some pretty creative ways for pharming & phishing to work such as DNS Spoofing also called Cache Poisoning. CSO Online published a nice article on the Top 14 Real-World Phishing Attacks, so you can get a feel for just how practical, versatile, reliable, and lucrative Phishing can be to a hacker.
How SSL Certificate Validation & Pinning Can Be Used to Prevent Phishing
SSL certificate validation helps to ensure that the SSL certificate files that link details about an organization with a cryptographic key are valid. SSL certificate validation helps ensure your app is using an authentic certificate. It can further go on to pin or link a host to a certificate on your app so that a mismatch, such as in the case of a pharming attack, will generate an alert or trigger another action based on how you implement the feature on Appdome.
SSL Certificate validation and pinning can be used together to combat mobile pharming by determining “yes” the certificate is authentic and “yes” the expected host is the host that the app is connected to. If it doesn’t match, the app will either terminate itself or drop/deny the session (after alerting the mobile user).
How to Add Certificate Validation & Certificate Pinning to Any iOS & Android App without Coding
Appdome’s no-code mobile development and security platform enables developers and security folks to implement their choice of mobile security features (including SSL Certificate Validation and Certificate Pinning and many other features) in any iOS or Android app in minutes, without coding. This prevents mobile Phishing and Pharming by always ensuring that the SSL/TLS certificate of the server is valid and has not been tampered with by attackers.
When you build a mobile app with SSL certificate validation, your app’s SSL certificates are validated to ensure they are authentic every time a user fires up your app. If the certificate validation fails, e.g. because of a fraudulent certificate, the session will be blocked or dropped, and a notification will be displayed to the mobile app user.
In addition, you can also add certificate pinning to any app for additional protection. This is the process of linking a host to a specific certificate or a CA (Certificate Authority). Even if a specific host is whitelisted (which I’ve blogged about previously and you can read here ») pinning helps to ensure that that destination matches the originally pinned certificate your app expects.
In the case of pharming that’s achieved via DNS spoofing, your Appdome-built app will detect the inconsistencies. This is because the pharming site is fake and is not the legitimate website pinned to the certificate. The app will then alert the user. This is also useful for attacks where sessions terminate on a malicious proxy as part of a Mobile MitM attack (aka: Man-in-the-Middle attack).
Developers or security folks can implement certificate pinning and validation either standalone, or in combination with other Appdome security features, such as anti-tampering, data-at-rest encryption, or code obfuscation – all without any coding or development effort. This enables developers to increase the security of your app, build a layered defense in minutes, all within your existing app lifecycle – delivering continuous security without changing any of your app development or delivery workflows or processes!
Check out our free Developers Guide to Mobile App security to understand why mobile app security is so important, and see how no-c0de mobile app security makes it easy for mobile app developers to secure their apps from the Get-go!
Thanks for reading! This blog is part of Appdome’s Mobile Security Basics category, which is appropriate for readers of any level to increase their Mobile Security knowledge.
Drop me a line with any comments!
Stay Safe and Build Secure!