Researchers at Skycure recently revealed that many iPhone apps are susceptible to HTTP request hijacking attacks....
Can you please explain how these attacks work and what we can do to keep mobile users safe?
New developers are entering the mobile app ecosystem every day. Unfortunately, these new developers may not understand how trivial it is to attack an HTTP connection or know anything about secure coding practices -- much less about secure software development lifecycles. As a matter of fact, even mobile developers from established enterprises are making these same mistakes in apps that most people might expect to be secure.
App security can be implemented in the app stores themselves by adding standards around secure software development practices and enforcing the use of secure cryptography. Many users erroneously assume the apps they download from an app store are protected. While the user might be prompted to allow or deny permissions to an app, they probably don't realize that allowing the permissions doesn't necessarily equate to a secure app.
In the case of HTTP request hijacking attacks on the iPhone app, hackers relied on classic man-in-the-middle (MitM) attack methods where HTTP was used. The attack monitored the connection between the mobile device and the server, and then sent an HTTP redirect to the mobile device to make it load content from a third-party website. The mobile user may not have even been able to detect that their connection was hijacked unless they had examined the source of the webpage or monitored the traffic.
To best secure mobile users against MitM attacks, it is critical to use HTTPS for all connections and use securely implemented cryptography. This includes all connections in the application so that any vulnerable connection can't be used to hijack the application.
Ask the Expert!
Have a question about enterprise threats? Send it via email today! (All questions are anonymous.)
Dig Deeper on BYOD and mobile device security best practices
Related Q&A from Nick Lewis
Researchers developed aIR-Jumper, an exploit that leverages lights within security cameras to extract data. Learn how this attack works and how to ... Continue Reading
The com.google.provision virus reportedly targets Android users, but little is known about it. Nick Lewis discusses the mystery threat and how Common... Continue Reading
A bug in Microsoft's Internet Explorer update exposes information that users enter into the browser's address bar. Learn more about the bug and URL ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.