Researchers at Skycure recently revealed that many iPhone apps are susceptible to HTTP request hijacking attacks....
Can you please explain how these attacks work and what we can do to keep mobile users safe?
New developers are entering the mobile app ecosystem every day. Unfortunately, these new developers may not understand how trivial it is to attack an HTTP connection or know anything about secure coding practices -- much less about secure software development lifecycles. As a matter of fact, even mobile developers from established enterprises are making these same mistakes in apps that most people might expect to be secure.
App security can be implemented in the app stores themselves by adding standards around secure software development practices and enforcing the use of secure cryptography. Many users erroneously assume the apps they download from an app store are protected. While the user might be prompted to allow or deny permissions to an app, they probably don't realize that allowing the permissions doesn't necessarily equate to a secure app.
In the case of HTTP request hijacking attacks on the iPhone app, hackers relied on classic man-in-the-middle (MitM) attack methods where HTTP was used. The attack monitored the connection between the mobile device and the server, and then sent an HTTP redirect to the mobile device to make it load content from a third-party website. The mobile user may not have even been able to detect that their connection was hijacked unless they had examined the source of the webpage or monitored the traffic.
To best secure mobile users against MitM attacks, it is critical to use HTTPS for all connections and use securely implemented cryptography. This includes all connections in the application so that any vulnerable connection can't be used to hijack the application.
Ask the Expert!
Have a question about enterprise threats? Send it via email today! (All questions are anonymous.)
Dig Deeper on Handheld and Mobile Device Security Best Practices
Related Q&A from Nick Lewis
MedSec and Muddy Waters Capital revealed serious flaws in IoT medical devices manufactured by St. Jude Medical. Expert Nick Lewis explains the ...continue reading
RIPPER malware has been found responsible for the theft of $378,000 from ATMs in Thailand. Expert Nick Lewis explains how this ATM malware works.continue reading
Researchers found that facial recognition systems can be bypassed with 3D models. Expert Nick Lewis explains how these spoofing attacks work and what...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.