Mobile App Security - Want to Be a “Man in the Middle” of a Mobile Communication? It’s Easier Than You Think
Mobiles are everywhere nowadays and a central part of almost everyone’s lives. In fact, we are using them for everything - both for personal and business purposes. From streaming media entertains us on our way to work, to chatting with friends and family, to sending emails at work - mobiles are now effectively computers on the go. According to Cisco "The Zettabyte Era—Trends and Analysis"  study, we are using mobile access more and more. And this trend will continue well into the future.
Our productivity, accessibility, and attainability rely on mobile apps. The connecting process to a mobile network is transparent and invisible. The same applies to all other services that we consume. Everything is fast, invisible and already set. We are consumers of this myriad of mobile services without ever thinking about what could happen if someone were to intercept that connection.
So how come we hear about data leaks like the thefts celebrities' private photos theft, stolen identities, unauthorized bank transfers, and millions of customer records being stolen from large companies?
Data security - What happens to your data?
The data-in-motion - that is, data that flows from your mobile app to the server and back - travels across the world. It is transferred over your local WiFi network or via your mobile connection to the operator’s router or base transceiver station (known as BTS). Then, the data is redirected from one one router to another. On the way, the data is inspected by automatic processes (such as antispam & antivirus appliances). Every data hop is under someone’s administration - who can eavesdrop any data.
Thank God (or cryptologist), data encryption exists to protect our data-in-motion.
Hopefully, you have heard about HTTPS, a protocol that uses TLS/SSL for data encryption. But setting the encryption in the proper way is difficult. Encryption could be configured in many different ways. Even if we take fine tuning out of the equation, there are still at least 1400 combinations of factors (in a case of HTTPS settings). That’s just before you take additional requirements, like backward compatibility, into account. Because of different requirements, there is no straightforward way to configure it. And trust me, it is very easy to make a mistake. Moreover, every day we find new threats and new attack vectors. It is a tough challenge to keep all provided services at all servers up to date and correctly configured.
What is a Man in the Middle Attack?
The situation outlined above is ideal for hackers and attackers. Attackers can easily direct their victims’ data to their device and eavesdrop on the communication, performing a Man-in-The-Middle (MiTM) attack.
Attackers can easily access your connection in a public place such as shopping center, airport or cafe by creating an open WiFi access point without a password. (This is also called an evil twin  or rogue Access Point .) Then they wait for new clients to come and try to synchronize the victim’s digital activities. They can even speed up the process by disassociating clients from the original legitimate Access Point.
This method allows hackers to ignore things like strong user passwords, highly protected sites and services. All that is needed to cause later disaster is one misconfiguration during the development or operation of the mobile application But a MiTM attack is still possible even when everything is "correctly" implemented--you should understand "correctly" is “securely.”
Even if everything is done correctly and securely by the developers and operators, you can still be liable to Man in the Middle attacks. The culprit? Users. They visit an unsecure website and see a warning advising from not going further, but they click on the “Proceed anyway” button. You can guess how many users will click on that button. In this always-on, I-want-it-now digital age, no warning can stop users from getting what they want. A study shows that people ignore security alerts up to 87% of the time. 
That’s all attackers need, folks, to steal your identity, access codes, and data.
Does this warning message look familiar to you?
Example of a browser SSL warning
Is Man in the Middle really that easy?
The anatomy of a MiTM attack against SSL  is to replace (SSL hijack) or remove (SSL Strip/Downgrade) the certificate which protects the exchange of the password used for future traffic encryption. There are automated tools and tutorials to do that, and they are publically available on the Internet and on Youtube.  Almost everyone can do it.
There are, of course, other MiTM techniques that manipulate with domain name resolution service (DNS), ARP , DHCP, STP or ICMP protocols. But this goes beyond the scope of this article.
What enables SSL-related Man in the Middle attack?
- Incorrect certificate validation: bypassing the functionality or using own cryptographic library, etc..
- Use old and obsolete protocols to establish a secure communication e.g. all SSL versions or early versions of TLS
- Lack of experience with technologies
You are right to say that it's not possible to demand everybody to understand IT security. That's why mobile app security is the responsibility of the mobile application/backend server developers and server operators.
Why do we still use old protocols? Why don’t we implement a proper certificate validation?
Statistic of usage of SSL settings on server side 
We all want to get things done quickly. Software developers, pressured by deadlines and the need to cut costs, often wind up leaving gaps in their security that hackers can take advantage of. Even if time and money are not a problem, many developers lack the necessary experience with mobile app security, security settings and configurations. We talked about thousands and thousands of possible settings. Missing or unavailable operating system update could also be a problem. They might forget a development/production switch that completely bypasses certificate validation. It is as simple as that.
On the user side, much of the blame lies with people using old phones with limited support for cryptographic protocols, misconfiguration of secure access, or acceptance of all certificates for connection - again, certificate validation bypass.
Our research shows that 75% of tested application has activated some certificate validation bypass. Now we can ask again: “How it is possible that we experience so many data breaches?”
Now, you know the answer.
How can we help?
We can fix it. Our mobile application security technology, SeaCat, has by-the-book certificate validation, no way to bypass it. On top of that, every mobile application installed on a mobile device has a unique and automatically-managed identity to allow bi-directional authentication or mutual authentication. We immediately know if any person wants to be in the Middle and quickly disconnect this person. We support the latest cryptographic protocols on even old mobile phones and devices.
We make no sacrifice in security.
Send us an email at firstname.lastname@example.org to share your opinion or ask us any question.
Most Recent Articles
- Cyber-health with a password and an antivirus program is not enough
- TeskaLabs at the ETSI 1st C-V2X Plugtest
- TeskaLabs has become a leader of Mobile Healthcare applications in the Health (in) Future Platform
- TeskaLabs at the ETSI 7th CMS Plugtest validating C-ITS security
- Why Hackers Target Small Business Websites 5 Tips to Stop them
You Might Be Interested in Reading These Articles
MazelTov and the Russian Underground Have It Going for Your Android Devices. But Not for Good Reasons
The Internet has been a good place for individuals and businesses. However, it's fast-becoming a leading medium for criminals in this cyber war against people like you and I. One example is the Russian underground that sell anything to do with cyber crime. On their websites, you can find any type of Trojans, exploits, rootkits and fake documents.
Published on May 19, 2015
OpenSSL DROWN Vulnerability Affects Millions of HTTPS Websites and Software Supporting SSLv2 (CVE-2016-0800)
DROWN is caused by legacy OpenSSL SSLv2 protocol, known to have many deficiencies. Security experts have recommended to turn it off, but apparently many servers still support it because disabling SSLv2 requires non-default reconfiguration of the SSL cryptographic settings which is not easy for common IT people who have limited security knowledge and don’t know the location to disable this protocol and the way to disable it.
Published on April 12, 2016
When it comes to dealing with the modern business, cyber security is more than an afterthought. Poor security standards will cost you more than just business, too; it could cost your reputation, or even your ability to trade.
Published on March 10, 2019