The Open Web Application Security Project (OWASP) has listed Insecure Communication as the third most exploited risk in mobile applications.
As the name suggests, Insecure Communication refers to mobile app vulnerability where sensitive data is intercepted while it’s traveling across the wire. This type of mobile app vulnerability is most common since the majority of applications exchange data in a client-server fashion. When the data is transmitted, it traverses the mobile device’s carrier network and the internet.
Assessing the ease of exploitability of Insecure Communication vulnerability ranges. While it’s simpler to monitor network users in a local eatery, it’s comparatively harder to monitor targeted users over the carrier’s network.
An adversary may carry an attack via insecure communication in the following scenarios:
- When an attacker shares your local network (compromised or monitored Wi-Fi);
- When an attacker targets the carrier or network devices (routers, cell towers, proxy’s, etc);
- When an attacker successfully inserts malware on your mobile device.
For network traffic, mobile applications may use SSL/TLS during authentication but not elsewhere. This sometimes leads to the risk of data exposure and interception of session IDs. Mobiles use transport security, however, this doesn’t imply correct implementation by the app.
Once a hacker gains control of your communication network via exploiting this flaw, he can leak the user’s data ultimately leading to account theft.
Sensitive data include encryption keys, passwords, private user information, account details, session tokens, documents, metadata, and binaries. This data could be coming to the device from a server, or from an app out to a server, or going between the device and a local device (e.g., an NFC terminal or NFC card).
If the admin account is intercepted, it gives the adversary complete control of the site. This has grave business impacts: Violation of a user’s confidentiality will lead to fraud, identity theft, and reputational damage. Moreover, poor SSL can also lead to phishing and MITM attacks.
How to Prevent Insecure Communication?
Here is a list of a few best practices to be used for Android phones which may bring dowwn risks relaated to insecure communication.
- Understand that the network layer is highly susceptible to eavesdropping, thus making it insecure.
- It is imperative to apply SSL/TLS to transport channels used by the mobile app to transmit sensitive information, session tokens, or other sensitive data to a backend API or web service.
- Account for outside entities like third-party analytics companies, social networks, etc. by using their SSL versions when an application runs a routine via the browser/webkit. Avoid mixed SSL sessions as they may expose the user’s session ID.
- Ensure usage of strong, industry standard cipher suites with appropriate key lengths.
- Use certificates signed by a trusted CA provider.
- Never allow self-signed certificates, and consider certificate pinning for security conscious applications.
- Always require SSL chain verification.
- Only establish a secure connection after verifying the identity of the endpoint server using trusted certificates in the keychain.
- In case the mobile app detects an invalid certificate, alert users through the UI.
- Avoid sending sensitive data over alternate channels (e.g, SMS, MMS, or notifications).
- Apply a separate layer of encryption to any sensitive data before it is given to the SSL channel. In the event that future vulnerabilities are discovered in the SSL implementation, the encrypted data will provide a secondary defense against confidentiality violation.
Worried that your phone might be vulnerable to such threats? Protect your mobile now with Astra’s Complete Security Suite for Android and iOS apps