Man-in-the-middle attacks are one common threat for mobile devices that are seeking out public Wi-Fi hotspots. Mobile devices are frequently vulnerable to this type of attack when apps are not written with security in mind. When man-in-the-middle attacks succeed, the chink in the mobile device's armor is often insufficient transport layer protection.
According to Jack Mannino, one of the most common factors that make enterprise mobile applications more likely than traditional Web applications to have insufficient transport layer protection is the use of security certificates. Web browsers are very good at alerting users to potentially dangerous data sources by pointing out inconsistencies in security certificates. Mannino pointed out two ways that security certificate controls get bypassed in mobile applications, but they both break down to carelessness on the part of mobile application developers.
One source of insufficient transport layer protection is related to the way mobile applications often handle data differently based on how the device is connected to the internet. It may use more bandwidth and assume a more stable connection when connected to Wi-Fi than when the device is relying on a cellular mobile connection. What that means inside the application is that the code for verifying security certificates will have to be implemented twice -- once for cellular and once for Wi-Fi. Mobile application developers may only implement security certificate validation once and can easily miss the fact that the other connection has been left open, according to Mannino.
The other possibility is that mobile application developers, working to turn the project over quickly, might disable security certificate verification while they're testing the specific features of the update they're working on. Turning off security verification can simplify and speed up testing of specific features and is safe in the testing environment. However, mobile developers can sometimes lose themselves in the intricacies of the current project and forget to turn that security back on.
"The quickest way to test this is to utilize a proxy interception tool, such as Portswigger's Burp Suite or OWASP's ZAP, to establish a man-in-the-middle interception of all traffic between the mobile application and the mobile service," Tony DeLaGrange said. By creating a controlled man-in-the-middle scenario, mobile application testers can really dig into the potential dangers posed by malicious attacks in the real world. This approach can quickly identify applications that are not properly encrypting outgoing data, according to DeLaGrange.