Man-in-the-Middle Attacks: A Growing but Preventable Mobile Threat

Hackers are upping their game, especially as they target mobile devices.

Tom Tovar, CEO & Co-Creator, Appdome

April 15, 2020

5 Min Read
Dark Reading logo in a gray background | Dark Reading

Man-in-the-middle (MitM) attacks have been in the headlines for years, but hackers are getting more sophisticated, particularly as they increasingly target mobile devices.

The nuts and bolts of a MitM attack are pretty simple. A cybercriminal intercepts the communications between a mobile user and the server the user is trying to reach. Attackers can act in two modes: active or passive. They can passively spy on communications, stealing passwords and other sensitive data. They can also actively alter information, even injecting malware into what the user thinks is a safe session.

One of the most common ways MitM attacks are launched is through "evil twin" Wi-Fi hotspots that mimic legitimate ones, enabling the attacker to view and control all traffic that passes through them.

But there are many other, more insidious means, such as SSL stripping. In this scenario, when a user makes an HTTP request to start a secure HTTPS session, the attackers intercept this request and, instead, set up a secure connection with themselves and an insecure connection with the victim. Now the attackers act as a bridge between them and is able to see all information from the victim in plaintext.

There are ways to defend against MitM. For example, mobile app developers and enterprises can implement security features to make MitM attacks essentially impossible. Unfortunately, too often these security features aren't built into an app because of a lack of security skills or pressure to meet delivery deadlines. As the Verizon Mobile Security Index 2020 report points out, 43% of organizations knowingly cut corners on mobile security to "get the job done."

As mobile continues to take hold in the ever-changing world, it's critical that mobile app developers apply new levels of protections for MitM attacks. First, developers need to be aware that there are different levels of MitM detection and protection. At the most basic level of detection, there are tools that will validate whether a certificate was issued by a legitimate certificate authority or if it is a fake certificate. Once the tool detects that it a fake certificate, it will drop the connection.

However, more sophisticated MitM attacks need more sophisticated detection and protections. For mobile apps, here are a couple of the most vital protections to include when building apps:

Enforce TLS (Transport Layer Security) cipher suites and versions: Cipher suites are a set of algorithms used to secure a TLS connection. There are hundreds of cipher suites one could use, with a wide variation in the level of security they provide. Some are quite simply insecure. It's important to establish the ciphers an app will accept to ensure that only approved, secure cipher suites will be allowed.

Likewise, older TLS versions are vulnerable to known networking attacks. It's important to limit the SSL/TLS versions of the network connections only to the approved, secure versions.

Enforce certificate roles: Unless certificates contain roles that are enforced, certificates from malicious actors can fool a mobile device into thinking a connection is trusted. Here's how: Certificates operate on a chain of trust, with "higher" certificates validating the authenticity of "lower" certificates. Ultimately, the chain of trust is founded on a certificate issued by a provider that's trusted by the platform on which an application is running.

The certificate a server presents to an end-user is called a "leaf" certificate; however, there is no functional difference between certificates, regardless of their roles. So, while leaf certificates are not meant to be used as certificate-authorities, each certificate can be used to sign another certificate. As a result, a malicious actor could obtain their own certificate, which would allow them to mount a MitM attack.

For example, a normal chain might look like this:

*.your-company-domain.com signed by "Go Daddy Secure Certificate Authority – G2" -->

"Go DaddySecure Certificate Authority – G2" signed by "Go Daddy Root Certificate Authority – G2" -->

"Go Daddy Root Certificate Authority – G2" trusted by your browser/Android/iPhone.

If malicious actors get their own certificate, however, they could intercept communications through this chain:

*.your-company-domain.com signed by *.malicious-domain.com -->

*.malicious-domain.com signed by "Go Daddy Secure Certificate Authority – G2" -->

"Go DaddySecure Certificate Authority – G2" signed by "Go Daddy Root Certificate Authority – G2" -->

"Go Daddy Root Certificate Authority – G2" trusted by your browser/Android/iPhone.

To thwart this kind of attack, each certificate must include information about its role in a common extension called "Basic-Constraints." But if a certificate does not have this extension, a TLS implementation won't enforce it.

It's critical to enforce the presence of the Basic-Constraints extension and the roles of the certificates in the chain. By enforcing roles for each certificate and network connection, the chain of trust can be maintained to prevent MitM attacks.

These basic measures lay the foundation to prevent MitM attacks, which will protect not only mobile end users but also the app maker's reputation. It may be easy to neglect mobile security in order to accelerate delivery, but once a breach occurs, regaining reputation and recouping losses is very difficult.

With advanced MitM and other security features, it's far better to ensure apps are secure in the first place.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

About the Author

Tom Tovar

CEO & Co-Creator, Appdome

Tom Tovar is the co-creator and CEO of Appdome, a one-stop shop for mobile app defense. He's a self-taught product creator, mobile app coder, hacker. He's serves as product advisor on several venture funded cyber companies, and previously as executive chairman of Badgeville, an enterprise digital motivation platform acquired by CallidusCloud, in several executive positions, including CEO, of Nominum, an intelligent-DNS security and services provider that was acquired by Akamai, and chief compliance officer, and operational executive in charge of business and corporate development, legal and channel at Netscreen Technologies acquired by Juniper Networks for $5B. He began his career as a corporate and securities attorney with Cooley Godward LLP. Tovar holds a JD from Stanford Law School and a BBA in finance and accounting from the University of Houston.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights