M5: Insecure Communication

Overview

This article explains the concept of insecure communication, its impact on security, and how to prevent it. It also provides example attack scenarios to highlight the vulnerabilities associated with insecure communication.

Description

Insecure communication is a security vulnerability that occurs when data is transmitted over an unsecured channel, making it susceptible to interception and modification by threat agents. It can lead to sensitive data leakage, session hijacking, and other malicious activities. To prevent insecure communication, it is crucial to implement SSL/TLS protocols, use strong cipher suites, validate certificates, and encrypt sensitive data. This article provides detailed best practices for preventing insecure communication and highlights the importance of performing security assessments to identify vulnerabilities. It also includes example attack scenarios to illustrate the potential risks associated with insecure communication.

How to Prevent ?

To prevent insecure communication, follow these best practices: 1. Assume that the network layer is not secure and is susceptible to eavesdropping. 2. Apply SSL/TLS to transport channels used for data transmission. 3. Use strong, industry-standard cipher suites with appropriate key lengths. 4. Use certificates signed by trusted CA providers and avoid accepting bad certificates. 5. Consider implementing certificate pinning for added security. 6. Always require SSL chain verification and alert users if invalid certificates are detected. 7. Avoid sending sensitive data over alternate channels like SMS or notifications. 8. Encrypt sensitive data before transmitting it over SSL/TLS. 9. Avoid overriding SSL verification methods and use trusted certificates. 10. Analyze application traffic to identify any plaintext channels.

Example Attack Scenarios:

• Lack of certificate inspection:  The mobile app fails to inspect the certificate offered by the server and unconditionally accepts any certificate, making it vulnerable to man-in-the-middle attacks.

• Weak handshake negotiation:  The mobile app negotiates a weak cipher suite, resulting in weak encryption that can be easily decrypted by adversaries, compromising the confidentiality of the communication.

• Privacy information leakage:  The mobile app transmits personally identifiable information via non-secure channels, exposing it to interception and jeopardizing the confidentiality of the data.

• Credential information leakage:  The mobile app transmits user credentials via non-secure channels, allowing adversaries to intercept and obtain the credentials in cleartext.

• Two-Factor authentication bypass:  The mobile app receives a session identifier via non-secure channels, enabling adversaries to bypass two-factor authentication by using the intercepted session identifier.