Researchers at Skycure recently revealed that many iPhone apps are susceptible to HTTP request hijacking attacks....
Can you please explain how these attacks work and what we can do to keep mobile users safe?
New developers are entering the mobile app ecosystem every day. Unfortunately, these new developers may not understand how trivial it is to attack an HTTP connection or know anything about secure coding practices -- much less about secure software development lifecycles. As a matter of fact, even mobile developers from established enterprises are making these same mistakes in apps that most people might expect to be secure.
App security can be implemented in the app stores themselves by adding standards around secure software development practices and enforcing the use of secure cryptography. Many users erroneously assume the apps they download from an app store are protected. While the user might be prompted to allow or deny permissions to an app, they probably don't realize that allowing the permissions doesn't necessarily equate to a secure app.
In the case of HTTP request hijacking attacks on the iPhone app, hackers relied on classic man-in-the-middle (MitM) attack methods where HTTP was used. The attack monitored the connection between the mobile device and the server, and then sent an HTTP redirect to the mobile device to make it load content from a third-party website. The mobile user may not have even been able to detect that their connection was hijacked unless they had examined the source of the webpage or monitored the traffic.
To best secure mobile users against MitM attacks, it is critical to use HTTPS for all connections and use securely implemented cryptography. This includes all connections in the application so that any vulnerable connection can't be used to hijack the application.
Ask the Expert!
Have a question about enterprise threats? Send it via email today! (All questions are anonymous.)
Dig Deeper on Handheld and Mobile Device Security Best Practices
Related Q&A from Nick Lewis
IP devices like multifunction printers and faxes may be an attack vector. Expert Nick Lewis explains the vulnerabilities, and how to secure them ...continue reading
AceDeceiver is a Trojan that can install itself on iOS devices without any certificates. Expert Nick Lewis explains how it works, and how enterprises...continue reading
USB Thief, a new type of stealth malware, leaves no trace on air-gapped targets. Expert Nick Lewis explains how the malware works and how enterprises...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.