Mobile App Security - Want to Be a “Man in the Middle” of a Mobile Communication? It’s Easier Than You Think
Mobiles are everywhere nowadays and a central part of almost everyone’s lives. In fact, we are using them for everything - both for personal and business purposes. From streaming media entertains us on our way to work, to chatting with friends and family, to sending emails at work - mobiles are now effectively computers on the go. According to Cisco "The Zettabyte Era—Trends and Analysis"  study, we are using mobile access more and more. And this trend will continue well into the future.
Our productivity, accessibility, and attainability rely on mobile apps. The connecting process to a mobile network is transparent and invisible. The same applies to all other services that we consume. Everything is fast, invisible and already set. We are consumers of this myriad of mobile services without ever thinking about what could happen if someone were to intercept that connection.
So how come we hear about data leaks like the thefts celebrities' private photos theft, stolen identities, unauthorized bank transfers, and millions of customer records being stolen from large companies?
Data security - What happens to your data?
The data-in-motion - that is, data that flows from your mobile app to the server and back - travels across the world. It is transferred over your local WiFi network or via your mobile connection to the operator’s router or base transceiver station (known as BTS). Then, the data is redirected from one one router to another. On the way, the data is inspected by automatic processes (such as antispam & antivirus appliances). Every data hop is under someone’s administration - who can eavesdrop any data.
Thank God (or cryptologist), data encryption exists to protect our data-in-motion.
Hopefully, you have heard about HTTPS, a protocol that uses TLS/SSL for data encryption. But setting the encryption in the proper way is difficult. Encryption could be configured in many different ways. Even if we take fine tuning out of the equation, there are still at least 1400 combinations of factors (in a case of HTTPS settings). That’s just before you take additional requirements, like backward compatibility, into account. Because of different requirements, there is no straightforward way to configure it. And trust me, it is very easy to make a mistake. Moreover, every day we find new threats and new attack vectors. It is a tough challenge to keep all provided services at all servers up to date and correctly configured.
What is a Man in the Middle Attack?
The situation outlined above is ideal for hackers and attackers. Attackers can easily direct their victims’ data to their device and eavesdrop on the communication, performing a Man-in-The-Middle (MiTM) attack.
Attackers can easily access your connection in a public place such as shopping center, airport or cafe by creating an open WiFi access point without a password. (This is also called an evil twin  or rogue Access Point .) Then they wait for new clients to come and try to synchronize the victim’s digital activities. They can even speed up the process by disassociating clients from the original legitimate Access Point.
This method allows hackers to ignore things like strong user passwords, highly protected sites and services. All that is needed to cause later disaster is one misconfiguration during the development or operation of the mobile application But a MiTM attack is still possible even when everything is "correctly" implemented--you should understand "correctly" is “securely.”
Even if everything is done correctly and securely by the developers and operators, you can still be liable to Man in the Middle attacks. The culprit? Users. They visit an unsecure website and see a warning advising from not going further, but they click on the “Proceed anyway” button. You can guess how many users will click on that button. In this always-on, I-want-it-now digital age, no warning can stop users from getting what they want. A study shows that people ignore security alerts up to 87% of the time. 
That’s all attackers need, folks, to steal your identity, access codes, and data.
Does this warning message look familiar to you?
Example of a browser SSL warning
Is Man in the Middle really that easy?
The anatomy of a MiTM attack against SSL  is to replace (SSL hijack) or remove (SSL Strip/Downgrade) the certificate which protects the exchange of the password used for future traffic encryption. There are automated tools and tutorials to do that, and they are publically available on the Internet and on Youtube.  Almost everyone can do it.
There are, of course, other MiTM techniques that manipulate with domain name resolution service (DNS), ARP , DHCP, STP or ICMP protocols. But this goes beyond the scope of this article.
What enables SSL-related Man in the Middle attack?
- Incorrect certificate validation: bypassing the functionality or using own cryptographic library, etc..
- Use old and obsolete protocols to establish a secure communication e.g. all SSL versions or early versions of TLS
- Lack of experience with technologies
You are right to say that it's not possible to demand everybody to understand IT security. That's why mobile app security is the responsibility of the mobile application/backend server developers and server operators.
Why do we still use old protocols? Why don’t we implement a proper certificate validation?
Statistic of usage of SSL settings on server side 
We all want to get things done quickly. Software developers, pressured by deadlines and the need to cut costs, often wind up leaving gaps in their security that hackers can take advantage of. Even if time and money are not a problem, many developers lack the necessary experience with mobile app security, security settings and configurations. We talked about thousands and thousands of possible settings. Missing or unavailable operating system update could also be a problem. They might forget a development/production switch that completely bypasses certificate validation. It is as simple as that.
On the user side, much of the blame lies with people using old phones with limited support for cryptographic protocols, misconfiguration of secure access, or acceptance of all certificates for connection - again, certificate validation bypass.
Our research shows that 75% of tested application has activated some certificate validation bypass. Now we can ask again: “How it is possible that we experience so many data breaches?”
Now, you know the answer.
How can we help?
We can fix it. Our mobile application security technology, SeaCat, has by-the-book certificate validation, no way to bypass it. On top of that, every mobile application installed on a mobile device has a unique and automatically-managed identity to allow bi-directional authentication or mutual authentication. We immediately know if any person wants to be in the Middle and quickly disconnect this person. We support the latest cryptographic protocols on even old mobile phones and devices.
We make no sacrifice in security.
Send us an email at email@example.com to share your opinion or ask us any question.
Data encryption tool for GDPRMore information
You Might Be Interested in Reading These Articles
With the year on year rise in ecommerce, there is a corresponding rise in online fraud - in fact, according to Financial Fraud Action UK, this type of activity had increased by a quarter to £399.5 million in the first half of 2016. The most recent manifestation of this is the concept of “testing” - this is where the criminals try small purchases to check the validity of card details, before moving in for the kill.
Published on July 04, 2017
I experienced a precious moment, discovering the cause which contributed to today's dire state of mobile application security. App developers think that if their apps do not deal with money, they should not have to care about app security. Is it true?
Published on February 24, 2015
In June 2017, two information security firms researching the 2016 hack of the electricity grid in Ukraine announced that they had identified the malicious code used to shut down power stations and leave thousands of households and businesses in darkness for several hours. The malware used to target the Kiev power grid has been named Industroyer, and it serves as a sobering reminder about the dangers faced by the Industrial Internet of Things (IIoT).
Published on September 05, 2017