Mobile devices are vulnerable to MiTM attacks too. In particular, mobile apps are vulnerable to MiTM attacks. Man in the middle attacks (MiTM) are a popular method for hackers to get between a sender and a receiver. MiTM attacks, which are a form of session hijacking are not new. However, what might not be known is that mobile devices are vulnerable to MiTM attacks too. In particular, mobile apps are vulnerable to MiTM attacks.As part of a series on mobile security I’ve written about other mobile-based attacks here:Mobile phishingMobile pharmingMobile malwareMobile encryptionMobile reversing and tamperingMan in the middle attacksOWASP has one of the simplest and best definitions of a MiTM attack. “The man-in-the middle attack intercepts a communication between two systems.” You might also hear this referenced as a malicious proxy. Edward J. Zaborowski gave a presentation on this topic at DEF CON titled: Malicious Proxies.ProxiesA proxy by design simply intercepts a request from a sender to a receiver. On behalf of the sender the proxy makes a request to the receiver.The proxy receives a response from the receiver.Finally, the proxy delivers that information to the sender. A malicious proxy works the same way. It can intercept, send, receive and modify data without the sender or receiver knowing it’s happening. MiTM, malicious proxies operate similarly with mobile attacks.MiTM and mobile appsThe exact same vulnerabilities that lead to MiTM attacks on traditional devices apply to mobile devices. The cause is generally associated with incorrect certificate validation and leveraging protocols that are not secure such as various flavors of SSL and early versions of TLS. For mobile apps to thwart these types of attacks it’s important to look at how the mobile app preforms authentication. Leveraging certificate pinning within the mobile app for example helps ensure that the mobile app is communicating with the device it is expecting to communicate with.[ ALSO ON CSO: Examining man-in-the-middle attacks ]On the mobile device, within the mobile app, certificate pinning links the certificate to the destination’s hostname to create trust. This is generally done when the app is developed at a time when the pinning relationship is known to be valid. There is little reason to do this later when a malicious proxy is already in place.It’s important to have pinning between the certificate and the server’s hostname and validation that the certificate is from a valid root authority. All of these controls can and should be built directly into the mobile app. Even with other controls in place like whitelisting, certificate pinning is needed to thwart MiTM attacks. For additional information on certificate and public key pinning check out OWASP. Related content opinion Congrats - you’re the new CISO…now what You need foundational visibility into your security posture regarding what’s working and what’s not. By Brian Contos Mar 06, 2017 5 mins Technology Industry IT Strategy Cybercrime opinion Before you buy another cybersecurity buzzword Get value from what you’ve got before buying something new. Get rid of solutions that no longer add value and acquire new ones that are really needed with confidence. By Brian Contos Feb 21, 2017 2 mins RSA Conference IT Skills Network Security opinion What some cybersecurity vendors don’t want you to know When evaluating security products, you might be doing it wrong if you’re not incorporating assurance testing. By Brian Contos Feb 08, 2017 4 mins Technology Industry IT Skills Security opinion What football teaches us about cybersecurity You wouldn’t expect a football team that never practices to win the Super Bowl; but we expect wins every day from our cybersecurity professionals. By Brian Contos Feb 01, 2017 6 mins Technology Industry IT Jobs IT Skills Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe