Prevent MitM Attacks in Mobile Apps with Certificate Pinning
Nikfar Khaleeli | Feb 13, 2023
What is an MitM Attack?
A Man-in-the-Middle (MitM) attack is a type of cyberattack where the attacker intercepts and observes or manipulates communication between two parties without their knowledge or consent. Common targets of MitM attacks on mobile apps include sensitive information such as login credentials, financial information, and personal data.
With a mobile app, an MitM attack works by intercepting the communication between the mobile app and the server it communicates with. For example, a mobile app may need to communicate with a bank’s servers to arrange a money transfer, or with a doctor’s Electronic Medical Records system to look up medical test results.
There are many other types of servers that a mobile app may need to communicate with. Many factors go into this, such as the mobile app's requirements, the available resources, and the technology stack used to build the mobile app. In addition to a file server, a mobile application may need to use one or more of the following.
Backend servers that handle the heavy lifting of processing data, storing information, and running complex algorithms.
Database servers such as relational databases, NoSQL databases, and cloud-based data storage solutions that store and serve up data to the mobile app.
Authentication servers that handle user authentication and authorization, and are often used to securely manage user credentials.
Push notification servers that send push notifications to users of mobile apps to help keep them engaged with the mobile app.
API servers that provide access to external data sources and services, and often use REST or GraphQL APIs to communicate with the mobile app.
Communication between a mobile app and any of the types of servers it needs access represents a threat vector for an MitM attack.
What is Certificate Spoofing?
Certificate spoofing is a technique used in Man-in-the-Middle (MitM) attacks where the attacker intercepts and manipulates secure communication by using a fake or fraudulent digital certificate. Digital certificates are used to establish trust and to verify the identity of a website or server during secure communication (e.g., HTTPS).
In certificate spoofing attacks, the attacker creates a fake certificate that appears to be issued by a trusted certificate authority (CA) and then uses it to intercept the communication between the client and server. The attacker can then observe or manipulate sensitive information, such as passwords and credit card numbers, unbeknownst to the client who believes it is communicating with a trusted server.
Certificate spoofing can be used to perform various types of attacks, such as phishing, eavesdropping, and data tampering.
Tools Used in Certificate Spoofing Attacks
Various types of tools can be used to carry out certificate spoofing attacks.
Man-in-the-Middle (MITM) proxy tools. These tools can be used to intercept and proxy a TLS session, allowing the attacker to insert their fake digital certificate into the communication. Examples of MitM proxy tools include web app security testing tools, web debugging proxy tools, network protocol analyzer tools and HTTPS stripper tools.
Packet sniffing tools. These tools can be used to capture and view the sensitive information being sent between a mobile app and a server. Network protocol analyzer tools, command line tools, password recovery tools, and network auditing and pen testing tools are example technologies that can be used.
Phishing kits. These are pre-made templates for fake login pages and other types of fake pages to trick users into entering their information, as well as scripts that can be used to steal sensitive information.
Malware. Some types of malware can be used to infect a system and manipulate network traffic to make it appear as though a fake certificate is valid. Trojan horses, rootkits and spyware are some malware categories that are used in certificate spoofing attacks.
When a mobile app establishes a connection with a server, it typically checks the server's certificate against a set of trusted certificate authorities (CA) to verify that it is a valid certificate.
Certificate pinning is a technique to prevent certificate spoofing-based MitM attacks. Certificate pinning establishes a trust relationship between a mobile app (a client) and a server where the mobile app is programmed to accept only a specific certificate or set of certificates for secure communication with the server. Here's how certificate pinning works in a mobile app.
The mobile app developer embeds the expected server certificate or set of certificates into the mobile app's code.
When the mobile app makes a request to the server, it checks the server's certificate against the embedded certificate(s).
If the server's certificate matches the embedded certificate(s), the mobile app establishes a secure connection with the server.
If the server's certificate does not match the expected certificate(s), the mobile app will reject the connection and alert the app user that the connection is not secure.
This way, even if an attacker intercepts the communication and presents a fake certificate, the mobile app will reject it because it does not match the expected certificate(s). By pinning a certificate, the mobile app developer can ensure that the mobile app is communicating with the correct server and that the communication is secure.
Certificate pinning has potential drawbacks. For example, it is difficult to change the certificate if it expires or is revoked because it is pinned within the mobile app. Solutions such as the Blue Cedar Platform make this a non-issue. The Blue Cedar Platform provides: