Man-in-the-middle (MitM) attacks occur when an attacker intercepts or manipulates mobile device communications to gain access to sensitive information. Attackers can extract login information, API keys and useful credentials from messages and can modify messages and intercept sensitive commercial or personal data, or even easily launch a denial of service attack against the service being accessed via a mobile app.

Source: approov.io

A Very Brief Reminder of How TLS and Certificate Pinning Works

Encrypted traffic using TLS is now widely used to protect the channels used by mobile apps to communicate with the APIs they use. TLS enables two parties to communicate securely using Public Key Infrastructure (PKI) and Certificate Authorities. With PKI a mobile app can check the validity of the backend server using certificates issued by a trusted Certificate Authority. A list of trusted certificates is held by the device. 

Unfortunately , if an attacker is able to modify the set of trusted device certificates, directly or via a device vulnerability, or fraudulently obtain a trusted certificate for the target domain, then a MitM attack is still possible. And in mobile, because attackers can get access to devices, this threat is real. 

Certificate pinning replaces dependence on the device’s set of certificates with a limited set of certificates known and trusted by the app itself. This approach is recommended by OWASP to protect the communication from mobile apps to back end servers. However if the set of certificates trusted by the app (the pins) are distributed with the app itself then updates to the permitted pins need to be distributed via a new version of the app. This approach is known as static pinning.

Dynamic pinning improves on this by building a secure pin update mechanism into the app logic so that pins can be dynamically and immediately updated across all apps when the certificates used by required APIs change. This eliminates any risk to service continuity when certs and pins change, which does unfortunately happen.

Source: approov.io

Mobile apps by their very nature, present some specific risks. The answer is to implement certificate pinning but to do it in a particular way that takes account of the mobile environment.

The Risks of Man-in-the-Middle Attacks to Mobile Apps

The risks are many. Often attackers are playing a long game and using information extracted from back end traffic to prepare other more sophisticated attacks. 

Here are some specific examples how MitM attacks are used by bad actors: 

• Stealing Secrets: API Keys are stolen and request logic captured and reused to attack APIs.
• Identity Theft and Credential Harvesting: Login details for various services can be captured and used for further attacks, even ransomware infiltrations.
• Bypassing MFA: MitM attacks have been used to game MFA checks or steal session cookies for reuse.
• Financial Fraud: Access to banking app data or credit card information can lead to financial theft.
• Corporate Espionage: Sensitive business information can be stolen. Even big companies are accused of doing this. 
• Data Manipulation: Attackers can modify communications, potentially causing financial or reputational damage.
• Remote Device Control: In severe cases, attackers can gain control over mobile devices, manipulating calls, texts, and emails without user knowledge.

New Tools and New Threats

Charles Proxy, Proxyman and Mitmproxy are all examples of powerful tools that can be used for debugging and analyzing network traffic on mobile apps and devices. 

All of these tools offer the ability to add breakpoints to pause communications and have scripting tools to edit responses on the fly. This is useful for testing different scenarios without changing app code. They all offer functionality to carry out performance testing too.

In fact these types of tools are all invaluable for development and testing purposes: they are used during development to debug app/API logic, during penetration testing to find security vulnerabilities, as well as to verify that API requests from the app are well formed. 

But the downside of course is that once in the hands of a hacker, they can be used to carry out MitM attacks on your running app. You can download Proxyman from the app store and start intercepting the HTTPS traffic from any app you like, at your leisure. 

The fact is that it has never been easier to carry out MitM attacks on mobile phones. The good news is that there are three things you can do to eliminate this threat. 

Three Things to Do Right Now to Stop MitM Attacks

1. Implement Dynamic Pinning: We described the difference between static and dynamic pinning earlier. You need to implement dynamic pinning on all the communications channels your app uses, even (especially) to 3rd party APIs. You must manage the certificates and pins independently from your apps. You need to ensure that the way the apps acquire and use the pins when they need them is secure, and make sure that mechanisms are available to update them immediately across all your apps when they need to be changed.
2. Block MitM tools from Accessing Running Apps: MitM attacks involving client-side manipulation are very hard to detect at the back-end. It is often impossible to distinguish traffic coming from a proxy or actually coming from your app, especially if the MitM is being executed by modifying an app running in the standard mobile environment. The only way to totally prevent pinning bypass in the client device is to deploy a solution that implements app and client attestation. Comprehensive client device attestation at run time detects any frameworks running in the client environment. Any installation of tools like Proxyman can be detected and requests coming from that device can be flagged and blocked. In addition, application attestation verifies the integrity of the app and prevents anyone from modifying or spoofing the app in an attempt to change the pins. 
3. Be Ready to Update Pins: As part of your contingency planning, you should establish procedures for immediately updating pins and certificates across your Installed base of apps when issues occur. Make sure the team knows what to do and that the dynamic pinning solution you use makes this easy and seamless. 

Further Reading

We have written extensively about the risks of MitM attacks in the mobile environment. You can go to the Approov blog and select the topic “MitM attack” If you want to see all of our blogs that discuss this topic, but here are some of the highlights:

There is a blog that describes how to carry out an MitM attack on ChatGPT App. Another blog describes how to carry out an MitM attack on Android and another maps out how to bypass certificate pinning on Android using Frida. Finally, here is a detailed description of how Approov dynamic pinning works. 

If you really want to dig deeply into the MitM issue and how to address it, we have an 18 page whitepaper with everything you need to know about MitM attacks in mobile. 

Finally we offer a very popular, free static pinning tool which helps you create pinned connections for any website. Of course, static pinning has the downsides we already mentioned so this should be seen as a first step before implementing a dynamic pinning solution in your environment. 

Conclusion

That's it - if you do these 3 things you will eliminate the threat of MitM attacks and keep your devops team happy at the same time!

Deploying Approov takes care of the 3 steps we laid out, providing robust protection which eliminates the risk of run time MitM attacks, as well as keeping your apps and APIs safe from a variety of other threats. With this solution in place, you can be confident that MitM is no longer a risk to your mobile apps.

Approov are experts on app and API security. We would be happy to set up a call to see if we can help you quickly and effectively improve your mobile app security.