Man in the middle attacks (MiTM) are a popular method for hackers to get between a sender and a receiver. MiTM attacks, which are a form of session hijacking are not new. However, what might not be known is that mobile devices are vulnerable to MiTM attacks too. In particular, mobile apps are vulnerable to MiTM attacks.As part of a series on mobile security I\u2019ve written about other mobile-based attacks here:Mobile phishingMobile pharmingMobile malwareMobile encryptionMobile reversing and tamperingMan in the middle attacksOWASP has one of the simplest and best definitions of a MiTM attack. \u201cThe man-in-the middle attack intercepts a communication between two systems.\u201d You might also hear this referenced as a malicious proxy. Edward J. Zaborowski gave a presentation on this topic at DEF CON titled:\u00a0 Malicious Proxies.ProxiesA proxy by design simply intercepts a request from a sender to a receiver.On behalf of the sender the proxy makes a request to the receiver.The proxy receives a response from the receiver.Finally, the proxy delivers that information to the sender.\u00a0 \u00a0\u00a0A malicious proxy works the same way. It can intercept, send, receive and modify data without the sender or receiver knowing it\u2019s happening. MiTM, malicious proxies operate similarly with mobile attacks.MiTM and mobile appsThe exact same vulnerabilities that lead to MiTM attacks on traditional devices apply to mobile devices. The cause is generally associated with incorrect certificate validation and leveraging protocols that are not secure such as various flavors of SSL and early versions of TLS.For mobile apps to thwart these types of attacks it\u2019s important to look at how the mobile app preforms authentication. Leveraging certificate pinning within the mobile app for example helps ensure that the mobile app is communicating with the device it is expecting to communicate with.[ ALSO ON CSO: Examining man-in-the-middle attacks\u00a0 ]On the mobile device, within the mobile app, certificate pinning links the certificate to the destination\u2019s hostname to create trust. This is generally done when the app is developed at a time when the pinning relationship is known to be valid. There is little reason to do this later when a malicious proxy is already in place.It\u2019s important to have pinning between the certificate and the server\u2019s hostname and validation that the certificate is from a valid root authority. All of these controls can and should be built directly into the mobile app. Even with other controls in place like whitelisting, certificate pinning is needed to thwart MiTM attacks. For additional information on certificate and public key pinning check out OWASP.