• United States




Man in the middle attacks on mobile apps

Oct 03, 20163 mins
Mobile SecurityNetwork SecuritySecurity

Mobile devices are vulnerable to MiTM attacks too. In particular, mobile apps are vulnerable to MiTM attacks.

Man in the middle attacks (MiTM) are a popular method for hackers to get between a sender and a receiver. MiTM attacks, which are a form of session hijacking are not new. However, what might not be known is that mobile devices are vulnerable to MiTM attacks too. In particular, mobile apps are vulnerable to MiTM attacks.

As part of a series on mobile security I’ve written about other mobile-based attacks here:

Man in the middle attacks

OWASP has one of the simplest and best definitions of a MiTM attack. “The man-in-the middle attack intercepts a communication between two systems.” You might also hear this referenced as a malicious proxy. Edward J. Zaborowski gave a presentation on this topic at DEF CON titled:  Malicious Proxies.


A proxy by design simply intercepts a request from a sender to a receiver.

  • On behalf of the sender the proxy makes a request to the receiver.
  • The proxy receives a response from the receiver.
  • Finally, the proxy delivers that information to the sender.   

 A malicious proxy works the same way. It can intercept, send, receive and modify data without the sender or receiver knowing it’s happening. MiTM, malicious proxies operate similarly with mobile attacks.

MiTM and mobile apps

The exact same vulnerabilities that lead to MiTM attacks on traditional devices apply to mobile devices. The cause is generally associated with incorrect certificate validation and leveraging protocols that are not secure such as various flavors of SSL and early versions of TLS.

For mobile apps to thwart these types of attacks it’s important to look at how the mobile app preforms authentication. Leveraging certificate pinning within the mobile app for example helps ensure that the mobile app is communicating with the device it is expecting to communicate with.

[ ALSO ON CSO: Examining man-in-the-middle attacks  ]

On the mobile device, within the mobile app, certificate pinning links the certificate to the destination’s hostname to create trust. This is generally done when the app is developed at a time when the pinning relationship is known to be valid. There is little reason to do this later when a malicious proxy is already in place.

It’s important to have pinning between the certificate and the server’s hostname and validation that the certificate is from a valid root authority. All of these controls can and should be built directly into the mobile app. Even with other controls in place like whitelisting, certificate pinning is needed to thwart MiTM attacks. For additional information on certificate and public key pinning check out OWASP.


Over the last two decades Brian Contos helped build some of the most successful and disruptive cybersecurity companies in the world. He is a published author and proven business leader.

After getting his start in security with the Defense Information Systems Agency (DISA) and later Bell Labs, Brian began the process of building security startups and taking multiple companies through successful IPOs and acquisitions including: Riptech, ArcSight, Imperva, McAfee and Solera Networks. Brian has worked in over 50 countries across six continents and is a fellow with the Ponemon Institute and ICIT.

The opinions expressed in this blog are those of Brian Contos and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.