There’s never a dull moment on the mobile security front. Several large, consumer-facing, banking apps recently made the news. It turns out that some of their apps were not verifying hostnames in their certificate pinning schemes.
What’s the problem?
Android and iOS apps rely on CA root certificates to validate the services they connect to. If a CA is compromised, malicious root certificates for any domain could be sent to the app and allow Man-in-the-Middle (MiTM) attacks.
How to mitigate the problem?
Developers can choose to accept only certificates that are signed by a single, specified CA certificate. This is called certificate pinning and may cut down on some of the problem. But, pinning to a specific CA root certificate still requires the developer to ensure that the app verifies the hostname for the certificate it receives. If it does not, MiTM attacks are still possible.
Appdome’s Mobile Security Suite
Appdome's Mobile Security Suite is a comprehensive mobile security offering that delivers best practice mobile security functionality to any mobile app. Appdome allows mobile developers and enterprises to seamlessly enable mobile security to apps during the fusing process, to prevent malicious threats and risks to users, organizations, and data.
Appdome has always verified hostnames for all Certificate Authorities (CAs) to protect our customers’ apps against MiTM attacks. Specifically, under our “Secure Communication” app protection category, it includes:
- Protection from Malicious Proxies and Man-in-the-Middle Attacks
Appdome's malicious proxy protection and man-in-the-middle protection works by detecting if a session is intercepted by an unauthorized or unknown party and redirected to a server or proxy. This feature alone or in combination with others can be very useful in detecting and preventing man-in-the-middle attacks and other session hijack attempts.
- SSL Certificate Validation
Appdome verifies certificates and Certificate Authorities (CAs) to ensure that apps are only communicating with trusted sites with valid and authentic certificates. Appdome also allows administrators to manually add known trusted certificates to a whitelist. Attempts to connect to sites not on the whitelist will be denied. Appdome ensures that all communication with external sources is conducted over secure or encrypted transport protocols such as SSL and TLS.