Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cutting out the middleman: Man-in-the-middle attacks and prevention for mobile apps

681 views

Published on

A mobile app that’s vulnerable to man-in-the-middle (MITM) attacks can allow an attacker to capture, view, and modify sensitive traffic sent and received between the app and backend servers. At NowSecure, Michael Krueger and Tony Ramirez spend their days performing penetration tests on Android and iOS apps, which include exploiting MITM vulnerabilities and helping developers fix them. These slides are from a 30-minute webinar with Michael & Tony about MITM attacks on mobile apps and how to prevent them that will cover:

-- Identifying man-in-the-middle vulnerabilities in mobile apps
-- How to execute a mobile man-in-the-middle attack
-- Right and wrong ways to implement certificate validation and certificate pinning

Published in: Technology
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (Unlimited) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/qURD } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/qURD } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/qURD } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/qURD } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/qURD } ......................................................................................................................... Download doc Ebook here { https://soo.gd/qURD } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Cutting out the middleman: Man-in-the-middle attacks and prevention for mobile apps

  1. 1. Cutting out the middleman: Man-in-the-middle attacks and prevention for mobile apps
  2. 2. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. NowSecure #MobSec5 Weekly mobile security news update SUBSCRIBE NOW: www.nowsecure.com/go/subscribe
  3. 3. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Tony Ramirez Software Support Engineer | NowSecure Michael Krueger Mobile Security Analyst | NowSecure
  4. 4. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Contents ● What exactly is a mobile man-in-the-middle (MITM) attack? ● Certificate pinning: protection against mobile MITM attacks ● Testing your certificate pinning implementation ● Questions
  5. 5. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. The basics of mobile man-in-the-middle (MITM) attacks
  6. 6. Attacker positions themselves between two parties and intercepts and/or alters data transmitted between them Man-in-the-middle attack Definition ORIGINAL CONNECTION Victim Attacker presents fake certificate Server
  7. 7. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. ● Any network device can be used to intercept traffic ● Attacker doesn’t have to be in the same room or on the same local network to intercept a user’s traffic ● Run traceroute to see the numerous points at which traffic can be captured Intercepting Network Connections
  8. 8. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Certificates, validation, and pinning protect a mobile device’s network communications SSL/TLS connection type What’s accepted? Unvalidated Any SSL/TLS certificate Validated Device-trusted root certificates Pinned Certificates pinned to the app
  9. 9. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. MITM methods: Compromising a certificate authority’s key ● Certificate authorities (CAs) issue and validate certificates ● We’re placing absolute trust in external parties ● Compromise or lack of due diligence causes problems ● Your app is still protected if you’re doing certificate pinning - unless you’re pinning the public key
  10. 10. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. MITM methods: Tricking a user into installing a certificate ● Via a social engineering campaign, users could be tricked into installing a certificate ● Certificate is trusted and inserted into the device’s trust-chain ● User prompted to install the certificate ○ Alert doesn’t convey the actual danger ○ Some people will install it ● Your app is still protected if you’re doing certificate pinning
  11. 11. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. User receives e-mail with profile attached. User clicks and is prompted to install the profile. User prompted to enter PIN in order to install. Warning doesn’t convey the actual danger.
  12. 12. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. How an attacker can create an iOS profile to facilitate a mobile MITM attack 1. Downloads free Apple Profile Configurator 2 2. Configures a malicious profile a. VPN configuration b. Self-signed certificate c. Developer certificate ($100) 3. Distributes malicious profile
  13. 13. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. MITM attacks go beyond the coffee shop and compromised Wi-Fi hotspots ● Misconfigured self-signed certificates with weak private keys (local) ● Fake Wi-Fi login portals (local or remote) ● E-mail attachments (remote) ● Free VPN - (remote) https://www.cactusvpn.com/vpn/free-android-vpn -apps-proven-malicious/
  14. 14. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. It’s quite simple: YOU MUST PIN!
  15. 15. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. How certificate pinning reduces risk in a mobile app 7.5 (High) 6.5 (Medium) 3.8 (Low) https://www.first.org/cvss/calculator/3. 0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U /C:N/I:H/A:N https://www.first.org/cvss/calculator/3. 0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U /C:N/I:H/A:N https://www.first.org/cvss/calculator/3. 0#CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S: U/C:N/I:H/A:N Validation: No Pinning: No Validation: Yes Pinning: No Validation: Yes Pinning: Yes
  16. 16. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Certificate pinning = low effort, high security return ● Bypassing certificate pinning is complex— it requires high privileges and physical access ○ Jailbroken/rooted device and tools ○ Or, the ability to reverse engineer, modify, and re-distribute the app ● Anti-tampering and custom native libraries offer additional mitigation against mobile MITM attacks —even on a jailbroken/rooted device
  17. 17. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Reasons we’ve heard for why people don’t pin certificates Reason Reality Impedes performance Comparable to any encryption Too much effort It’s easier than you think App doesn’t transmit sensitive data Are you sure? A CA getting compromised is unlikely It happens, and it’s not the only vector Our app doesn’t use SSL/TLS Start using TLS MITM attacks are targeted/only local There are other vectors
  18. 18. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. How to do certificate pinning
  19. 19. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. The basics ● What am I pinning? ○ The SHA256 hash of your certificate or public key ● What am I pinning it to? ○ Android - Use DefaultHttpClient or the Network Security Config file ○ iOS - Use NSURLSession or AFNetworking ○ Use popular APIs like OkHttp and Trustkit
  20. 20. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Pro tip: Pinning maintenance is required ● If the pinned certificate is compromised, so is your app ● You’re deciding which certificates to trust and taking responsibility for maintenance ● Maintenance requires: ○ Making sure the certificate is valid ○ Updating the certificate if it expires ○ Updating the certificate if it changes
  21. 21. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Testing your certificate pinning implementation is crucial ● Ultimately, you need to confirm your pinning implementation with testing ● Best way to verify is to perform a MITM attack against the app ● For example: Is the app only pinning at login? ● Test continuously - Third party libraries (CVE-2016-2402) or new functionality can break pinning
  22. 22. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. 1 2 3 Install the proxy certificate Without the proxy certificate, you’re testing for validation; with the certificate you’re testing for certificate pinning (optional) Overview: How we test for certificate pinning
  23. 23. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. 1 2 3 Install the proxy certificate Without the proxy certificate, you’re testing for validation; with the certificate you’re testing for certificate pinning Configure the proxy settings You need to do this in the test device’s Wi-Fi settings (optional) Overview: How we test for certificate pinning
  24. 24. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. 1 2 3 Install the proxy certificate Without the proxy certificate, you’re testing for validation; with the certificate you’re testing for certificate pinning Configure the proxy settings You need to do this in the test device’s Wi-Fi settings If you can’t capture the traffic, the app is implementing certificate pinning (optional) Overview: How we test for certificate pinning Log into the app & try to capture traffic
  25. 25. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Basic proxy setup Device 192.168.10.15 Gateway set to 192.168.10.66 192.168.10.1 Server Laptop w/ Mitmproxy listening at ports 80 & 443 192.168.10.66 Mitmproxy CA certificate (optional)
  26. 26. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Resources
  27. 27. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Good resources to help you with certificate pinning OWASP Pinning Cheat Sheet https://www.owasp.org/index.php/Pinning_Cheat_Sheet NowSecure Secure Mobile Development Best Practices https://books.nowsecure.com/secure-mobile-development/en/sensitive-data/fully-validate-ssl-tls.html
  28. 28. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Summary & next steps
  29. 29. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Three key takeaways 1 2 3 MITM attacks are not ONLY local attacks executed at the coffee shop. Certificate validation alone is not enough to protect against MITM attacks. Certificate pinning is low-effort and offers significant protection against MITM attacks.
  30. 30. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Practical next steps This week: Find out whether your mobile apps receive security assessments and whether certificate validation, certificate pinning, and other MITM-related tests are included. In the next two weeks: If your apps aren’t already tested for MITM vulnerabilities, determine how to include those tests in your testing cycle. In the next two months: Implement certificate pinning in all apps and test the pinning implementation as a part of your regular mobile app security testing.
  31. 31. Let’s talk NowSecure +1 312.878.1100 @NowSecureMobile www.nowsecure.com Subscribe to #MobSec5 A digest of the week’s mobile security news that matters https://www.nowsecure.com/go/subscribe

×