In my last blog on “SSL Vulnerabilities in Your Mobile Apps: What Could Possibly Go Wrong?” I reported on the latest threats facing many enterprises today, because enterprises are failing to secure the trust in the mobile apps they’re developing for their end users. Researchers discovered that many of the popular mobile apps developed by reputable companies often do not implement SSL validation correctly, making them vulnerable to active man-in-the-middle (MITM) attacks. In MITM attacks an attacker can substitute a legitimate SSL certificate with one under his control and view and/or manipulate private information submitted by the user.
As a follow-up to my previous blog, I’d like to focus on the business impacts that these mobile app security vulnerabilities have on enterprises and why CISOs should keep them in mind.
Adopting an app-based strategy for your customers is not easy and it comes with significant risks. As mentioned above, the SSL vulnerabilities found in mobile apps are prone to MITM attacks that trick users into leaking sensitive data. And these leaks are particularly threatening because consumers are using mobile apps to access banking records, healthcare benefit plans, and retail accounts. This creates security risks for enterprises because it requires them to expose backend systems and data via APIs, which means that consumers’ sensitive information is being placed at risk of compromise. Attackers exploit mobile apps that do not check the validity of SSL certificates by using fake unassigned certificates to attack end users. Attackers can intercept traffic on wireless networks used by mobile devices and insert the fake SSL certificates, inject malicious information-stealing code directly into the apps, and divert users to compromised sites to conduct fraudulent transactions without most users noticing the difference.
When an attacker finds an exploit or flaw in your mobile apps that leaks your customers’ private information, be prepared for a PR nightmare, because this will surely make a very large splash in the media. Security and privacy issues can have a major impact on customer adoption of your mobile apps, damage your company's brand reputation, and even negatively impact revenue. Keep in mind that you will not always get a second chance to get it right with your customers.
Fandango and Credit Karma mobile apps failed to secure SSL and validate certificates and exposed consumers’ sensitive personal information. Both were heavily penalized by the FTC and should serve as a reminder of the seriousness behind failing to secure and validate SSL certificates. By overriding the default validation process, Fandango undermined the security of ticket purchases made through its iOS app and exposed consumers’ credit card details, including card number, security code, zip code, and expiration date, as well as consumers’ email addresses and passwords. Similarly, Credit Karma’s apps for iOS and Android disabled the default validation process, exposing consumers’ Social Security Numbers, names, dates of birth, home addresses, phone numbers, email addresses, passwords, credit scores, and other credit report details such as account names and balances.
It is the responsibility of IT security teams and CISOs to ensure that they protect customers’ privacy and safeguard them from fraudulent or malicious activities. And to do this, organizations need to ensure their apps are not leaking private information, ensure trusted connections to services, and have the right intelligence to ensure trust between the business and the customer.