How to Prevent MitM Attacks between Mobile Apps and APIs
The massive deployment of mobile apps is presenting new attack surfaces to bad actors. The channel between apps and APIs presents a rich target for hackers via Man-in-the-Middle (MitM) attacks. This white paper explains why MitM attacks are a particular issue for mobile apps and explains why using Transport Level Security (TLS) alone is not sufficient to stop them. After an in-depth analysis of the problem we will look at how certificate pinning can help thwart mobile MitM attacks, and the risks involved in setting pins statically within an app. We also look at the advantages of being able to set the pins dynamically, and the steps you should take to protect your organization’s data and revenue from these types of exploits.
Mobile app usage continues to rise, leading to substantial revenue growth from mobile apps. Consumer-facing enterprises prioritize mobile apps as a primary touchpoint for customers, making trust in the platform crucial for brand reputation.
However, the widespread deployment of mobile apps and APIs introduces new security challenges, providing opportunities for malicious actors to access sensitive data and disrupt businesses. Mobile apps are downloaded to unmanaged devices, making them susceptible to manipulation by hackers using various tools.
One of the critical attack surfaces in the mobile ecosystem is the API channel between mobile apps and backend servers. Man-in-the-Middle (MitM) attacks on this channel pose a significant threat to mobile users. Intercepting and manipulating communications between devices and servers has become a common attack vector due to the exponential growth of mobile app usage.
This paper aims to address the issue and guide mobile-first enterprises in effectively combating MitM attacks to protect their users and businesses.
MitM attacks enable attackers to intercept and manipulate mobile device communications, potentially leading to the theft of sensitive information, login details, and even denial of service attacks. Despite TLS encryption being commonly used, attackers can still exploit vulnerabilities to intercept and modify encrypted traffic.
Figure: A Man-in-the-Middle Attack
Image source: Approov.io
Breaking Trust - Trust Store Poisoning
Attackers can use MitM tools to install self-signed certificates on a device's trust store, redirecting traffic to the attacker while appearing legitimate. Mobile platforms have introduced protections against such attacks, making it difficult for end users to unknowingly install these certificates.
Breaking Trust - CA Breach
A breach of a certificate authority or improper issuance of certificates can also break the trust chain. Attackers could obtain a valid certificate for a domain, allowing them to redirect requests to their servers while appearing authentic.
The Benefits of Pinning
Certificate pinning is an effective measure to protect against MitM attacks. By adding a pinned certificate inside the mobile app, communication is restricted only to servers with a valid certificate matching the pinned value. This ensures that unauthorized servers are blocked from establishing a connection.
Public Key Pinning Versus Certificate Pinning
In mobile app security, there are two pinning approaches: certificate pinning (referred to as public key pinning in this context) and public key pinning.
Certificate pinning involves hashing the algorithm and public key information of a certificate, ensuring that a specific certificate is presented. On the other hand, public key pinning (or Subject Public Key Information hashing) hashes only the public key, making it more resilient to certificate renewals.
When pinning, you have the option to pin to a certificate authority, intermediate certificate, or the leaf certificate. Pinning to a certificate authority restricts connections to a specific authority, while pinning to the leaf certificate ensures that only your certificate is accepted.
Google and Apple have enhanced their platforms to simplify pinning via configuration. Android 7 and iOS 14 support pinning configuration. For Android, developers define pins in the network security configuration file, and for iOS, pins are added to the Info.plist file.
Despite platform support, pinning configuration can be challenging, especially if you're not familiar with certificate management. To address this, Approov has developed a Pinning Generator Tool to simplify the process of generating and maintaining pinning configurations for Android and iOS.
The Operational Risks of Pinning
Static pinning can lead to disastrous incidents, as exemplified by the 2016 Barclays Bank UK case. The bank's mobile app pinned an obsolete intermediate certificate, causing transaction authentication failure and affecting hundreds of thousands of consumer payment transactions. This outage on Black Friday resulted in significant financial losses and damaged Barclays' reputation.
The principal operational risk with static pinning is that if the pins no longer match the real endpoint, the app stops working, disrupting communication with servers. This risk deters some DevOps teams from implementing pinning. To mitigate this, issuing an app update with pin changes is necessary, but it takes time and doesn't guarantee all users will update promptly.
Avoid pinning to domains not under your control to prevent disruptions caused by certificate chain changes made by others. For auto-renewed certificates, maintain the public key to avoid frequent pin changes. Backup pins help during key pair rotations due to potential breaches. Coordination between frontend and backend teams is essential to prevent unexpected certificate changes.
Having a well-defined process is crucial for successful implementation and management of pinning.
The Bad News- Pinning can be Bypassed in the Client
Although pinning is effective against MitM attacks where the attacker doesn't control the end device, it can be bypassed if the attacker gains control of the client. Bypassing can occur through app repackaging or by using hooking frameworks like Frida to modify app behavior at runtime.
Certificate transparency, though less used in mobile apps, is an emerging solution that requires certificates to be logged publicly. This allows monitoring and blocking of certificates not issued by the app owner.
Dynamic Pinning Provides Easy Administration and Elimination of Operational Risks
Dynamic pinning, achieved through Approov's solution, eliminates the operational burden of static pinning. It allows the pins to be updated on the server side without requiring app updates. Additionally, dynamic pinning combined with app and client attestation helps prevent MitM attacks on the mobile channel.
The Final Piece in the Puzzle- How to Block Client-side MitM Attacks
To block client-side MitM attacks completely, a solution with app and client attestation can be deployed. This approach verifies app integrity and detects any hooking activity intended to change app behavior in real-time.
MitM Attacks are a significant concern for mobile apps due to the potential manipulation of the application and client environment by malicious actors. While Transport Level Security (TLS) provides some protection, it's not enough to fully prevent these attacks. Certificate pinning reduces the attack surface, but static pinning poses operational challenges.
However, there are effective ways to completely prevent MitM attacks while ensuring service continuity. Firstly, static certificate pinning enhances security against in-channel MitM attacks, with tools like the Free Pinning Generator Tool simplifying implementation. Yet, managing static pins requires careful attention to certificate changes and potential operational risks.
A solution for dynamic pinning can eliminate operational burdens, automating the process and reducing errors. This removes risks and delays associated with updating apps when certificates change.
Lastly, deploying a solution that validates both the app and client environment, combined with dynamic pinning, eradicates the risk of MitM attacks in the mobile channel.
These proven approaches have been adopted by security-conscious mobile app developers and, with wider adoption, can fully eliminate the threat of MitM attacks on mobile apps.
Download the full version of the white paper