M3: Insecure Communication
Understand the risks & impacts of insecure communication in mobile apps. Learn prevention tactics, attack scenarios, & best practices for iOS and Android.
Overview
This JSON response provides information about the threat of insecure communication in mobile applications. It discusses the potential threat agents, attack vectors, security weaknesses, technical and business impacts, and ways to prevent insecure communication. It also includes example attack scenarios to illustrate the risks.
Description
M3: Insecure Communication is a common risk in mobile applications where data is exchanged in a client-server fashion. This JSON response provides an overview of the threat agents, attack vectors, security weaknesses, and impacts associated with insecure communication. It also includes general best practices to prevent insecure communication, as well as iOS and Android specific practices. Additionally, example attack scenarios are provided to illustrate the potential risks.
How to Prevent ?
To prevent insecure communication, it is recommended to assume that the network layer is not secure and apply SSL/TLS to transport channels that transmit sensitive information. Strong, industry-standard cipher suites with trusted CA provider certificates should be used. Additionally, self-signed certificates should be avoided, and SSL chain verification should always be required. Separately encrypting sensitive data before transmitting it over the SSL channel is also advised. Platform-specific best practices, such as ensuring certificate validity and implementing proper handshake negotiation, should be followed in iOS and Android applications.
Example Attack Scenarios:
Lack of certificate inspection: In this scenario, the mobile app fails to inspect the certificate offered by the server and unconditionally accepts any certificate. This makes the app vulnerable to man-in-the-middle attacks through a TLS proxy.
Weak handshake negotiation: In this scenario, the mobile app successfully negotiates a weak cipher suite during the handshake, resulting in weak encryption that can be easily decrypted by an adversary. This compromises the confidentiality of the communication channel.
Privacy information leakage: In this scenario, the mobile app transmits personally identifiable information via non-secure channels instead of over SSL. This exposes the privacy-related data to potential interception and compromise.