Will Strafach from Sudo Security Group (maker of the verify.ly service) recently wrote about popular iOS apps that are vulnerable to silent Transport Layer Security (TLS) interception. Headlines about silent interception abounded, and hand-wringing over the number of downloads of affected apps ensued.
This vulnerability wasn’t surprising to Appthority, and it supports our findings from our Q4 2016 Mobile Threat Report and blog post about the adoption of App Transport Security (ATS). That report found that, of the top 200 iOS apps present on our customers’ devices, 9 apps (2 using ATS) disable SSL certificate validation, and 155 apps (46 with ATS) do not support certificate pinning for at least one connection. All of these apps are susceptible to Man-in-the-Middle attacks because TLS is not configured properly. In total, we’ve identified 15,062 versions of apps with this problem, including 8,066 distinct apps from the App Store and 294 paid apps. The silent intercept vulnerability is fairly widespread in enterprises: we found that these apps are present on 19% of all Appthority users’ devices.
What can enterprises do to protect themselves from this kind of attack?
A MiTM attack is mostly feasible over WiFi; using cellular data will increase the attack complexity and cost to where it may not be feasible to anyone outside of government/nation-state attackers. Enterprises should advise their users who have sensitive information on their mobile devices to use their cellular bandwidth when they are away from work or home to avoid this threat.
We also mentioned three steps that enterprises can take to defend their users against this sort of vulnerability in Appthority’s Q4 2016 Mobile Threat Report:
- Implement a mobile security tool that makes app encryption settings visible
- Establish and enforce security policies that include app encryption best practices
- Ensure that your apps use certificate pinning, the strongest means available to prevent man-in-the-middle (MiTM) attacks
Recommendations for Enterprises
Appthority recommends that enterprises advise their mobile users to use their cellular service instead of free WiFi when they are connecting in coffee shops or airports, etc. in order to minimize the risk from MiTM attacks. Recent announcements promoting unlimited data plans from major US wireless providers now make this an option for most mobile users.
How Appthority Customers and Their Employees Are Protected
The Appthority Mobile Threat Protection solution provides three different mechanisms for protection against MiTM attacks, two of which are proactive — they prevent the attack rather than simply detecting an attack underway.
- Appthority customers can detect apps where TLS data may be silently intercepted by MiTM attacks. This vulnerability is captured in our behavior checks for certificate pinning and validation, and customers may use these rules for information or remediation.
- Appthority customers can be notified if they have inadvertently accepted an untrusted certificate on their mobile devices.
- Appthority customers can be notified when a MiTM attack is in progress
image credit: Hot for Security Blog