Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/15/2020
02:00 PM
Tom Tovar
Tom Tovar
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Man-in-the-Middle Attacks: A Growing but Preventable Mobile Threat

Hackers are upping their game, especially as they target mobile devices.

Man-in-the-middle (MitM) attacks have been in the headlines for years, but hackers are getting more sophisticated, particularly as they increasingly target mobile devices.

The nuts and bolts of a MitM attack are pretty simple. A cybercriminal intercepts the communications between a mobile user and the server the user is trying to reach. Attackers can act in two modes: active or passive. They can passively spy on communications, stealing passwords and other sensitive data. They can also actively alter information, even injecting malware into what the user thinks is a safe session.

One of the most common ways MitM attacks are launched is through "evil twin" Wi-Fi hotspots that mimic legitimate ones, enabling the attacker to view and control all traffic that passes through them.

But there are many other, more insidious means, such as SSL stripping. In this scenario, when a user makes an HTTP request to start a secure HTTPS session, the attackers intercept this request and, instead, set up a secure connection with themselves and an insecure connection with the victim. Now the attackers act as a bridge between them and is able to see all information from the victim in plaintext.

There are ways to defend against MitM. For example, mobile app developers and enterprises can implement security features to make MitM attacks essentially impossible. Unfortunately, too often these security features aren't built into an app because of a lack of security skills or pressure to meet delivery deadlines. As the Verizon Mobile Security Index 2020 report points out, 43% of organizations knowingly cut corners on mobile security to "get the job done."

As mobile continues to take hold in the ever-changing world, it's critical that mobile app developers apply new levels of protections for MitM attacks. First, developers need to be aware that there are different levels of MitM detection and protection. At the most basic level of detection, there are tools that will validate whether a certificate was issued by a legitimate certificate authority or if it is a fake certificate. Once the tool detects that it a fake certificate, it will drop the connection.

However, more sophisticated MitM attacks need more sophisticated detection and protections. For mobile apps, here are a couple of the most vital protections to include when building apps:

Enforce TLS (Transport Layer Security) cipher suites and versions: Cipher suites are a set of algorithms used to secure a TLS connection. There are hundreds of cipher suites one could use, with a wide variation in the level of security they provide. Some are quite simply insecure. It's important to establish the ciphers an app will accept to ensure that only approved, secure cipher suites will be allowed.

Likewise, older TLS versions are vulnerable to known networking attacks. It's important to limit the SSL/TLS versions of the network connections only to the approved, secure versions.

Enforce certificate roles: Unless certificates contain roles that are enforced, certificates from malicious actors can fool a mobile device into thinking a connection is trusted. Here's how: Certificates operate on a chain of trust, with "higher" certificates validating the authenticity of "lower" certificates. Ultimately, the chain of trust is founded on a certificate issued by a provider that's trusted by the platform on which an application is running.

The certificate a server presents to an end-user is called a "leaf" certificate; however, there is no functional difference between certificates, regardless of their roles. So, while leaf certificates are not meant to be used as certificate-authorities, each certificate can be used to sign another certificate. As a result, a malicious actor could obtain their own certificate, which would allow them to mount a MitM attack.

For example, a normal chain might look like this:

*.your-company-domain.com signed by "Go Daddy Secure Certificate Authority – G2" -->

"Go DaddySecure Certificate Authority – G2" signed by "Go Daddy Root Certificate Authority – G2" -->

"Go Daddy Root Certificate Authority – G2" trusted by your browser/Android/iPhone.

If malicious actors get their own certificate, however, they could intercept communications through this chain:

*.your-company-domain.com signed by *.malicious-domain.com -->

*.malicious-domain.com signed by "Go Daddy Secure Certificate Authority – G2" -->

"Go DaddySecure Certificate Authority – G2" signed by "Go Daddy Root Certificate Authority – G2" -->

"Go Daddy Root Certificate Authority – G2" trusted by your browser/Android/iPhone.

To thwart this kind of attack, each certificate must include information about its role in a common extension called "Basic-Constraints." But if a certificate does not have this extension, a TLS implementation won't enforce it.

It's critical to enforce the presence of the Basic-Constraints extension and the roles of the certificates in the chain. By enforcing roles for each certificate and network connection, the chain of trust can be maintained to prevent MitM attacks.

These basic measures lay the foundation to prevent MitM attacks, which will protect not only mobile end users but also the app maker's reputation. It may be easy to neglect mobile security in order to accelerate delivery, but once a breach occurs, regaining reputation and recouping losses is very difficult.

With advanced MitM and other security features, it's far better to ensure apps are secure in the first place.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Tom Tovar is CEO and co-creator of Appdome, the mobile industry's first no-code mobile solutions platform. Prior to Appdome, Tom served as executive chairman of Badgeville, an enterprise engagement platform acquired by CallidusCloud; CEO of Nominum, a DNS security and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...