“Gartner Listed - mobile application security guide”

October 10, 2016

Man in the Middle & mobile apps

The growth in the number of public Wi-Fi hotspots across the world now exposes more mobile phone owners to the danger of Man in the Middle (MiTM) attacks and shows the need to do mobile app security testing for Transport Layer Security. With 568% growth since 2013 of public WiFi hotspots there are now 177, 418, 979 that might be used to launch a MiTM attack.

MiTM attacks are a problem across devices that have now made their way to mobile. The attack, also known as a malicious proxy, intercepts communications between a sender and receiver, is now a serious issue that mobile apps are vulnerable to.

A malicious proxy gives a third party a way to intercept, send, change, and receive data without the sender or receiver’s knowledge. This problem stems from people using public Wi-Fi and the high number of iOS and Android apps that fail to validate server certificates. This security issue is one that is quite simple to check for in mobile app security testing.

To stop these attacks we need to understand how this authentication is carried out. The most common method is to enable Certificate Pinning to ensure that the device is communicating with its intended counterpart. Certificate pinning links certificates to the receiver’s host name, this ensures that the particular mobile is communicating with its intended sender.

This implementation of certificate pinning needs to happen during the development process and checked during mobile app security testing.

Most important of all, you need to pin the certificate to the server’s hostname and validate that the certificate came from a legal root authority. Every control needs to be built into your mobile app. All these controls should be built into the mobile app and checked for with rigorous mobile app security testing.

Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.