Recently Sudo Security Group uncovered something shocking about a range of popular applications available for download in the Apple's iOS Store. While performing research for their security tool verify.ly, the team discovered 76 of them had the same security
hole. Further, according to estimates from Apptopia, a provider of mobile app data and insights, these insecure applications had been downloaded by users across the globe approximately 18 million times.
The vulnerability that fraudsters can exploit involved the apps’ use of Transport Layer Security (TLS). Configured improperly by app developers, it left encrypted communications transmitted by the protocol open for interception by man-in-the-middle attacks.
Without proper security, these man-in-the-middle attacks could be conducted by any party within Wi-Fi range of a mobile device while it is in use. On a more technical level, these apps could be tricked by a forged certificate sent by proxy. This security
hole presents a real threat to any bank, insurer, healthcare company, merchant, or other business needing to protect its mobile app communications.
Fortunately, in 33 of the applications, the risk of important data being compromised was low while 24 of them were found to be of medium risk. These apps were disclosed and named publicly. The remaining 19 apps handled high risk user data and, therefore,
were not publicly disclosed but their creators were notified.
Unfortunately, this insecurity in the TLS protocol is not a new development. Rather, it is a recurring theme in the many applications that use it. In fact, even apps specifically designed to meet security needs sometimes misapply its use. In 2015, a two-factor
authentication provider disclosed that a version of their iOS application was itself vulnerable to compromise due to a flaw in TLS configuration.
What’s going on here? Frankly, a lot of complexity. The current way to avoid problems in the TLS protocol is through the use of hard-coded “pinned” certificates. This blocks the use of forged certificates by fraudsters. Unfortunately, the use of these pinned
certificates is not always practical for app developers. For this reason, Apple has been encouraging developers to use App Transport Security (ATS) for transmitting data securely instead.
Yet, the use of ATS does not, by itself, obviate the potential for phony certificates. The underlying problem is inherent in TLS. In theory, the TLS certificate system should provide a formidable layer of defense against fraud. Implemented correctly using
pinning, the certificates can properly validate the identity of the host application and enable a secure connection.
However, in practice, the inherent complexity of TLS certificate implementation deviates from computer security best practices, creating security holes. TLS incorporates a considerable amount of complexity in certificate deployment and certificate usage.
Often, the complexity is so onerous that it precludes practical deployment.
What mobile app developers need is a single, stable, and secure platform for authenticating the identities of the communicating parties involved. TLS attempts to achieve this through the use of certificates digitally signed by a trusted Certificate Authority
but this coordination between multiple parties to authenticate communicators creates issues.
Fortunately, there are advanced digital security solutions which properly handle certificate pinning in the background of mobile apps so developers never have to think about it. These programs ensure the certificate is encrypted, cannot be intercepted, replaced,
or altered, and properly pin it to ensure all customer sessions are secure.
Most importantly, because these solutions address the cryptographic issues within the app, it frees up programmers to focus solely on app development. The development team merely needs to install the out-of-box solution. Done this way, these services transparently
address the security issues and protect communication within the app against unauthorized interception, disclosure, modification, or replay.