Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/15/2020
02:00 PM
Tom Tovar
Tom Tovar
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Man-in-the-Middle Attacks: A Growing but Preventable Mobile Threat

Hackers are upping their game, especially as they target mobile devices.

Man-in-the-middle (MitM) attacks have been in the headlines for years, but hackers are getting more sophisticated, particularly as they increasingly target mobile devices.

The nuts and bolts of a MitM attack are pretty simple. A cybercriminal intercepts the communications between a mobile user and the server the user is trying to reach. Attackers can act in two modes: active or passive. They can passively spy on communications, stealing passwords and other sensitive data. They can also actively alter information, even injecting malware into what the user thinks is a safe session.

One of the most common ways MitM attacks are launched is through "evil twin" Wi-Fi hotspots that mimic legitimate ones, enabling the attacker to view and control all traffic that passes through them.

But there are many other, more insidious means, such as SSL stripping. In this scenario, when a user makes an HTTP request to start a secure HTTPS session, the attackers intercept this request and, instead, set up a secure connection with themselves and an insecure connection with the victim. Now the attackers act as a bridge between them and is able to see all information from the victim in plaintext.

There are ways to defend against MitM. For example, mobile app developers and enterprises can implement security features to make MitM attacks essentially impossible. Unfortunately, too often these security features aren't built into an app because of a lack of security skills or pressure to meet delivery deadlines. As the Verizon Mobile Security Index 2020 report points out, 43% of organizations knowingly cut corners on mobile security to "get the job done."

As mobile continues to take hold in the ever-changing world, it's critical that mobile app developers apply new levels of protections for MitM attacks. First, developers need to be aware that there are different levels of MitM detection and protection. At the most basic level of detection, there are tools that will validate whether a certificate was issued by a legitimate certificate authority or if it is a fake certificate. Once the tool detects that it a fake certificate, it will drop the connection.

However, more sophisticated MitM attacks need more sophisticated detection and protections. For mobile apps, here are a couple of the most vital protections to include when building apps:

Enforce TLS (Transport Layer Security) cipher suites and versions: Cipher suites are a set of algorithms used to secure a TLS connection. There are hundreds of cipher suites one could use, with a wide variation in the level of security they provide. Some are quite simply insecure. It's important to establish the ciphers an app will accept to ensure that only approved, secure cipher suites will be allowed.

Likewise, older TLS versions are vulnerable to known networking attacks. It's important to limit the SSL/TLS versions of the network connections only to the approved, secure versions.

Enforce certificate roles: Unless certificates contain roles that are enforced, certificates from malicious actors can fool a mobile device into thinking a connection is trusted. Here's how: Certificates operate on a chain of trust, with "higher" certificates validating the authenticity of "lower" certificates. Ultimately, the chain of trust is founded on a certificate issued by a provider that's trusted by the platform on which an application is running.

The certificate a server presents to an end-user is called a "leaf" certificate; however, there is no functional difference between certificates, regardless of their roles. So, while leaf certificates are not meant to be used as certificate-authorities, each certificate can be used to sign another certificate. As a result, a malicious actor could obtain their own certificate, which would allow them to mount a MitM attack.

For example, a normal chain might look like this:

*.your-company-domain.com signed by "Go Daddy Secure Certificate Authority – G2" -->

"Go DaddySecure Certificate Authority – G2" signed by "Go Daddy Root Certificate Authority – G2" -->

"Go Daddy Root Certificate Authority – G2" trusted by your browser/Android/iPhone.

If malicious actors get their own certificate, however, they could intercept communications through this chain:

*.your-company-domain.com signed by *.malicious-domain.com -->

*.malicious-domain.com signed by "Go Daddy Secure Certificate Authority – G2" -->

"Go DaddySecure Certificate Authority – G2" signed by "Go Daddy Root Certificate Authority – G2" -->

"Go Daddy Root Certificate Authority – G2" trusted by your browser/Android/iPhone.

To thwart this kind of attack, each certificate must include information about its role in a common extension called "Basic-Constraints." But if a certificate does not have this extension, a TLS implementation won't enforce it.

It's critical to enforce the presence of the Basic-Constraints extension and the roles of the certificates in the chain. By enforcing roles for each certificate and network connection, the chain of trust can be maintained to prevent MitM attacks.

These basic measures lay the foundation to prevent MitM attacks, which will protect not only mobile end users but also the app maker's reputation. It may be easy to neglect mobile security in order to accelerate delivery, but once a breach occurs, regaining reputation and recouping losses is very difficult.

With advanced MitM and other security features, it's far better to ensure apps are secure in the first place.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Tom Tovar is CEO and co-creator of Appdome, the mobile industry's first no-code mobile solutions platform. Prior to Appdome, Tom served as executive chairman of Badgeville, an enterprise engagement platform acquired by CallidusCloud; CEO of Nominum, a DNS security and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20811
PUBLISHED: 2020-06-03
An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.
CVE-2019-20812
PUBLISHED: 2020-06-03
An issue was discovered in the Linux kernel before 5.4.7. The prb_calc_retire_blk_tmo() function in net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain failure case involving TPACKET_V3, aka CID-b43d1f9f7067.
CVE-2020-13776
PUBLISHED: 2020-06-03
systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082.
CVE-2019-20810
PUBLISHED: 2020-06-03
go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel before 5.6 does not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586.
CVE-2020-4026
PUBLISHED: 2020-06-03
The CustomAppsRestResource list resource in Atlassian Navigator Links before version 3.3.23, from version 4.0.0 before version 4.3.7, from version 5.0.0 before 5.0.1, and from version 5.1.0 before 5.1.1 allows remote attackers to enumerate all linked applications, including those that are restricted...