How to Prevent MitM Attacks Between Mobile Apps and APIs

An Approov Whitepaper

The massive deployment of mobile apps is presenting new attack surfaces to bad actors. The channel between apps and APIs presents a rich target for hackers via Man-in-the-Middle (MitM) attacks. Transport Level Security (TLS) alone is not sufficient to stop them since tools installed in the device can easily hack into encrypted communications.

This free white paper explains why MitM attacks are a particular issue for mobile apps, providing an in-depth analysis of the problem and the techniques used by hackers. It discusses how certificate pinning can help thwart mobile MitM attacks and outlines the operational advantages of being able to set the pins dynamically.

Download the white paper today to understand the steps you should take today to enhance your security and protect your organization’s data and revenue from these types of exploits.

Request Your Copy

CriticalBlue (developer of Approov) will use the personal information you provide to send you the content requested and information about our services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.

Certificate Pinning

Whitepaper Contents

  • Introduction
  • Man in the Middle Attacks
  • TLS and Encrypted Traffic
  • The Chain of Trust
  • Breaking Trust - Trust Store Poisoning
  • Breaking Trust - CA Breach
  • The Benefits of Pinning
  • Public Key Pinning versus Certificate Pinning
  • Implementing Pinning p9
  • The Static Pinning Configurator
  • The Operational Risks of Pinning
  • The Bad News - Pinning Can Be Bypassed in the Client
  • Pinning Bypass by App Repackaging
  • Pinning Bypass Using a Hooking Framework
  • Certificate Transparency
  • Dynamic Pinning Provides Easy Administration and Elimination of Operational Risks
  • The Final Piece in the Puzzle - How to Block Client-Side MitM Attacks
  • Approov: Complete MitM Protection with Assured Service Continuity
  • Conclusion