Mobile apps have many benefits for the companies that offer them to their users. At the same time, they can create new vulnerabilities and security challenges.
The first article in this series (How Hackers Attack Your Mobile Apps, Part 1) discussed the threat landscape when the client device of a mobile application is compromised, and how to mitigate these threats. Here in Part 2, we’ll discuss various network-level vulnerabilities and some best practices to prevent them.
Common Network Vulnerabilities
A seamless network is a crucial component of a tech stack that helps establish communication links between application servers, endpoint devices, and various distribution platforms. Due to the number of components and amount of data a network carries, security naturally becomes a complex topic.
Hackers often target the communication between clients and backends. As mobile applications have become more popular, their traffic with backend APIs have become the frequent focus of attackers.
Here are some common network vulnerabilities for mobile app traffic.
Cryptography enables development teams to secure networks by ensuring only the sender and intended recipient of a message can access it. Advanced attacks typically bypass misconfigured encryption mechanisms while taking advantage of poor encryption key management processes to decrypt data in transit. Additionally, they can exploit weak or outdated encryption algorithms by performing advanced reverse-engineering techniques and exposing sensitive information.
Insufficient Transport Layer Protection
Mobile applications typically rely on HTTP/S traffic to receive and respond to requests in a client-server configuration. The data is transmitted over the internet and the endpoint device’s carrier network. In the absence of adequate data protection in the transport layer, attackers can leverage various vulnerabilities to intercept data in transit. Some common vulnerabilities here include misconfigured network devices, malware on the mobile endpoint, or a compromised network. Although insecure transport layer vulnerabilities can be difficult to exploit, they are still a common form of attack since hackers use automated tools to identify susceptible entry points.
Improper Session Handling
Mobile applications rely on built-in session management technologies (cookies, tokens, etc.) to avoid the need to authenticate themselves for each request within an active session. Failure to execute session invalidation on both the server-side and client-side allows attackers to use HTTP manipulation tools to hijack and exploit a terminated session. Another common form of session-handling misconfiguration is when developers use persistent cookies or fail to rotate cookies periodically. Unless applications reset cookies after each authentication state change, persistent cookies remain valid even after a session has ended. This allows hackers to leverage an idle cookie to obtain unauthorized entry and masquerade as the user.
In the absence of robust network security between a device and the application server, attackers can exploit network vulnerabilities to sniff the traffic. These vulnerabilities can include insecure network devices (such as routers and proxies) or a compromised public network (such as Wi-Fi).
This can allow hackers to hijack credentials, access tokens or session ids of a legitimate user. Possible results include ATO (Account Takeover), or depending on the user’s access privileges, a broader compromise of the backend server.
Unintended Data Leakage
As mobile applications have become common, the amount of sensitive data that they process has increased, and the risk of data leakage has increased. When this occurs, there can be severe impacts, including privacy violations, reputational damage, and penalties from compliance authorities and regulators.
Here are some examples of recent incidents, illustrating the variety of data that can leak:
Best Practices to Prevent Network-Level Vulnerabilities
There are several methods you can use to protect your mobile applications against security threats at the network level.
When securing applications, software teams should work under the assumption that attackers can bypass client-side authentication mechanisms. As a result, it is important to reinforce these controls on the server-side to ensure the application only services requests from legitimate users. Apart from generic authentication mechanisms, you can also implement advanced authentication strategies, such as Multi-Factor Authentication (MFA) and biometric logins to strengthen network security. For applications that can be used offline based on localized authorization checks, it is recommended to implement automated scans to detect unauthorized code changes.
Leverage Encryption for Data Security
As hackers target wireless networks to intercept data in transit, it is crucial to use strong encryption protocols with up-to-date cryptographic algorithms to protect all forms of cross-network communications including text, voice, and data.
Properly Destroy Session Tokens
As sessions are stored on the client-side for easier management and scaling, this exposes the application to hijacking attacks if the token is not discarded safely after the user session is complete. It is important to set a mandatory timeout for every session in order to reduce the time period a hacker can launch an attack after hijacking a session. Additionally, developers should ensure that both client-side and server-side session token termination are performed simultaneously to evade man-in-the-middle (MitM) attacks.
Ensure Proper Certificate Creation
Beyond encryption, data in transit should rely on certificates signed by a reputable CA provider for stronger authentication. For high-risk applications, developers should implement public key pinning to ensure the app only considers whitelisted certificates/keys as valid. By preventing the use of forged certificates/keys, hosts can associate with only those apps with an established trust-anchor. Additionally, applications should not accept self-signed certificates, as this may allow hackers to intercept network traffic by acting as legitimate users. When designing an app, architects must put in controls that establish a secure connection only after verifying the identity of the user or endpoint device.
Such security controls can involve:
- Using strong cipher suites with unbreakable key lengths, such as SHA256, to encrypt data transfer between the application endpoint and user devices
- Notifying users when the application detects an invalid certificate
- Avoiding mixed SSL sessions
Utilize SSL Chain Verification
All applications should implement processes that evaluate whether a certificate chain was correctly formed, was signed, and is trustworthy. Verifying the certificate chain involves an end-to-end workflow that enables the app server to verify the identity of the endpoint device before establishing a secure connection:
- Locate the issuer’s certificate
- Verify the certificate using the public key in the issuer’s certificate
- Verify the certificate’s validity period through the user’s system clock
- If the verifier does not trust the issuer’s certificate, it is checked to ensure it contains an appropriate CA; if this fails, the verification goes back to step 1 of the chain.
Implement Threat Modeling
A useful strategy for avoiding threats is to simulate attacks and typical scenarios that lead to security lapses. While examining and documenting the actions of a hacker, threat modeling involves the identification of mitigation controls to preemptively stop future attacks. When building mobile applications, it is recommended that developers test application code to prevent network-level vulnerabilities, including:
- Insufficient transport layer protection
- Broken cryptography
- Inaccurate session handling
- Client-side injection
Developers should consider each attack scenario individually to ensure the application’s assets and data are inaccessible even after the hacker has infiltrated the network. This requires security teams to examine the app’s code and configuration settings to discover both existing and potential security gaps.
Implement Client-Device Authentication
Most authentication mechanisms are designed to verify users. An additional layer of API security can be added by verifying the client devices themselves. When this is done, traffic from legitimate users is accepted, while traffic from attackers (which in order to wage attacks at scale, must use bots or emulators) can be blocked.
The Reblaze Mobile SDK is a unique client-device authentication mechanism that does this. Organizations can publish their Android and iOS mobile apps with the SDK embedded.
In use, the SDK signs the application, authenticates the device, and verifies user identity. It validates all requests coming from legitimate apps, adding a cryptographic HMAC signature to each one. The signatures are non-reproducible, non-guessable, and non-repeating.
The SDK provides a reliable and secure mechanism to confirm that the traffic is originating from a legitimate app user and not a bot or emulator. Incoming traffic that was not verified by the SDK can safely be rejected, or have other custom responses configured.
The Mobile SDK is one aspect of the Reblaze platform, which also includes other capabilities as part of its comprehensive web security SaaS solution. Other core technologies include next-gen WAF, multi-layer DDoS protection, real-time traffic visibility, advanced bot management, flow control, flexible rate limiting, API security (not just for mobile APIs), account takeover (ATO) prevention, and more.
Modern applications power numerous facets of our business and personal lives, with mobile devices being used for communication, shopping, healthcare, finance, and more. As these devices rely on networks to interconnect with services and third-party tools, network channels remain a prime target for malicious actors.
In this article, we discussed some common network-level vulnerabilities and best practices to prevent attacks through the network. In our next and final article of the series, we’ll look at attacks directed at mobile API endpoints, and how organizations can mitigate them.