Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/15/2020
02:00 PM
Tom Tovar
Tom Tovar
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Man-in-the-Middle Attacks: A Growing but Preventable Mobile Threat

Hackers are upping their game, especially as they target mobile devices.

Man-in-the-middle (MitM) attacks have been in the headlines for years, but hackers are getting more sophisticated, particularly as they increasingly target mobile devices.

The nuts and bolts of a MitM attack are pretty simple. A cybercriminal intercepts the communications between a mobile user and the server the user is trying to reach. Attackers can act in two modes: active or passive. They can passively spy on communications, stealing passwords and other sensitive data. They can also actively alter information, even injecting malware into what the user thinks is a safe session.

One of the most common ways MitM attacks are launched is through "evil twin" Wi-Fi hotspots that mimic legitimate ones, enabling the attacker to view and control all traffic that passes through them.

But there are many other, more insidious means, such as SSL stripping. In this scenario, when a user makes an HTTP request to start a secure HTTPS session, the attackers intercept this request and, instead, set up a secure connection with themselves and an insecure connection with the victim. Now the attackers act as a bridge between them and is able to see all information from the victim in plaintext.

There are ways to defend against MitM. For example, mobile app developers and enterprises can implement security features to make MitM attacks essentially impossible. Unfortunately, too often these security features aren't built into an app because of a lack of security skills or pressure to meet delivery deadlines. As the Verizon Mobile Security Index 2020 report points out, 43% of organizations knowingly cut corners on mobile security to "get the job done."

As mobile continues to take hold in the ever-changing world, it's critical that mobile app developers apply new levels of protections for MitM attacks. First, developers need to be aware that there are different levels of MitM detection and protection. At the most basic level of detection, there are tools that will validate whether a certificate was issued by a legitimate certificate authority or if it is a fake certificate. Once the tool detects that it a fake certificate, it will drop the connection.

However, more sophisticated MitM attacks need more sophisticated detection and protections. For mobile apps, here are a couple of the most vital protections to include when building apps:

Enforce TLS (Transport Layer Security) cipher suites and versions: Cipher suites are a set of algorithms used to secure a TLS connection. There are hundreds of cipher suites one could use, with a wide variation in the level of security they provide. Some are quite simply insecure. It's important to establish the ciphers an app will accept to ensure that only approved, secure cipher suites will be allowed.

Likewise, older TLS versions are vulnerable to known networking attacks. It's important to limit the SSL/TLS versions of the network connections only to the approved, secure versions.

Enforce certificate roles: Unless certificates contain roles that are enforced, certificates from malicious actors can fool a mobile device into thinking a connection is trusted. Here's how: Certificates operate on a chain of trust, with "higher" certificates validating the authenticity of "lower" certificates. Ultimately, the chain of trust is founded on a certificate issued by a provider that's trusted by the platform on which an application is running.

The certificate a server presents to an end-user is called a "leaf" certificate; however, there is no functional difference between certificates, regardless of their roles. So, while leaf certificates are not meant to be used as certificate-authorities, each certificate can be used to sign another certificate. As a result, a malicious actor could obtain their own certificate, which would allow them to mount a MitM attack.

For example, a normal chain might look like this:

*.your-company-domain.com signed by "Go Daddy Secure Certificate Authority – G2" -->

"Go DaddySecure Certificate Authority – G2" signed by "Go Daddy Root Certificate Authority – G2" -->

"Go Daddy Root Certificate Authority – G2" trusted by your browser/Android/iPhone.

If malicious actors get their own certificate, however, they could intercept communications through this chain:

*.your-company-domain.com signed by *.malicious-domain.com -->

*.malicious-domain.com signed by "Go Daddy Secure Certificate Authority – G2" -->

"Go DaddySecure Certificate Authority – G2" signed by "Go Daddy Root Certificate Authority – G2" -->

"Go Daddy Root Certificate Authority – G2" trusted by your browser/Android/iPhone.

To thwart this kind of attack, each certificate must include information about its role in a common extension called "Basic-Constraints." But if a certificate does not have this extension, a TLS implementation won't enforce it.

It's critical to enforce the presence of the Basic-Constraints extension and the roles of the certificates in the chain. By enforcing roles for each certificate and network connection, the chain of trust can be maintained to prevent MitM attacks.

These basic measures lay the foundation to prevent MitM attacks, which will protect not only mobile end users but also the app maker's reputation. It may be easy to neglect mobile security in order to accelerate delivery, but once a breach occurs, regaining reputation and recouping losses is very difficult.

With advanced MitM and other security features, it's far better to ensure apps are secure in the first place.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Tom Tovar is CEO and co-creator of Appdome, the mobile industry's first no-code mobile solutions platform. Prior to Appdome, Tom served as executive chairman of Badgeville, an enterprise engagement platform acquired by CallidusCloud; CEO of Nominum, a DNS security and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26252
PUBLISHED: 2021-01-20
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server ...
CVE-2020-26278
PUBLISHED: 2021-01-20
Weave Net is open source software which creates a virtual network that connects Docker containers across multiple hosts and enables their automatic discovery. Weave Net before version 2.8.0 has a vulnerability in which can allow an attacker to take over any host in the cluster. Weave Net is suppli...
CVE-2021-1235
PUBLISHED: 2021-01-20
A vulnerability in the CLI of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to read sensitive database files on an affected system. The vulnerability is due to insufficient user authorization. An attacker could exploit this vulnerability by accessing the vshell of an af...
CVE-2021-1241
PUBLISHED: 2021-01-20
Multiple vulnerabilities in Cisco SD-WAN products could allow an unauthenticated, remote attacker to execute denial of service (DoS) attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
CVE-2021-1247
PUBLISHED: 2021-01-20
Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.