Researchers at Skycure recently revealed that many iPhone apps are susceptible to HTTP request hijacking attacks....
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Can you please explain how these attacks work and what we can do to keep mobile users safe?
New developers are entering the mobile app ecosystem every day. Unfortunately, these new developers may not understand how trivial it is to attack an HTTP connection or know anything about secure coding practices -- much less about secure software development lifecycles. As a matter of fact, even mobile developers from established enterprises are making these same mistakes in apps that most people might expect to be secure.
App security can be implemented in the app stores themselves by adding standards around secure software development practices and enforcing the use of secure cryptography. Many users erroneously assume the apps they download from an app store are protected. While the user might be prompted to allow or deny permissions to an app, they probably don't realize that allowing the permissions doesn't necessarily equate to a secure app.
In the case of HTTP request hijacking attacks on the iPhone app, hackers relied on classic man-in-the-middle (MitM) attack methods where HTTP was used. The attack monitored the connection between the mobile device and the server, and then sent an HTTP redirect to the mobile device to make it load content from a third-party website. The mobile user may not have even been able to detect that their connection was hijacked unless they had examined the source of the webpage or monitored the traffic.
To best secure mobile users against MitM attacks, it is critical to use HTTPS for all connections and use securely implemented cryptography. This includes all connections in the application so that any vulnerable connection can't be used to hijack the application.
Ask the Expert!
Have a question about enterprise threats? Send it via email today! (All questions are anonymous.)
Dig Deeper on Handheld and Mobile Device Security Best Practices
Related Q&A from Nick Lewis
Latentbot malware has layers of obfuscation that makes it hard to detect. Expert Nick Lewis explains how its process works, beginning with a phishing...continue reading
A hard to detect type of Linux malware, Rekoobe, can download files to user systems. Expert Nick Lewis explains the malware's key functionality and ...continue reading
Pro POS, a new type of POS malware, has simple operations and is easy to obtain. How was it so successful against businesses? Expert Nick Lewis ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.