Researchers at Skycure recently revealed that many iPhone apps are susceptible to HTTP request hijacking attacks....
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Can you please explain how these attacks work and what we can do to keep mobile users safe?
New developers are entering the mobile app ecosystem every day. Unfortunately, these new developers may not understand how trivial it is to attack an HTTP connection or know anything about secure coding practices -- much less about secure software development lifecycles. As a matter of fact, even mobile developers from established enterprises are making these same mistakes in apps that most people might expect to be secure.
App security can be implemented in the app stores themselves by adding standards around secure software development practices and enforcing the use of secure cryptography. Many users erroneously assume the apps they download from an app store are protected. While the user might be prompted to allow or deny permissions to an app, they probably don't realize that allowing the permissions doesn't necessarily equate to a secure app.
In the case of HTTP request hijacking attacks on the iPhone app, hackers relied on classic man-in-the-middle (MitM) attack methods where HTTP was used. The attack monitored the connection between the mobile device and the server, and then sent an HTTP redirect to the mobile device to make it load content from a third-party website. The mobile user may not have even been able to detect that their connection was hijacked unless they had examined the source of the webpage or monitored the traffic.
To best secure mobile users against MitM attacks, it is critical to use HTTPS for all connections and use securely implemented cryptography. This includes all connections in the application so that any vulnerable connection can't be used to hijack the application.
Ask the Expert!
Have a question about enterprise threats? Send it via email today! (All questions are anonymous.)
Dig Deeper on Handheld and Mobile Device Security Best Practices
Related Q&A from Nick Lewis
The new Trochilus RAT can avoid detection in cyberespionage attacks. Expert Nick Lewis explains how it works, and if enterprises need to adapt their ...continue reading
The Asacub Trojan has new banking malware features. Expert Nick Lewis explains how it made this transition and what enterprises should be watching ...continue reading
BlackEnergy malware may have been part of the attacks on Ukrainian utility and media companies. Expert Nick Lewis explains how this malware works and...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.