The majority of people and consumers don’t usually think about security and data privacy when they log into their mobile banking app, take a photo of the check, and make a mobile deposit directly into their account. Nor do they think about security as they conveniently purchase their movie tickets on a Fandango mobile app. People will automatically assume the company has issued a secure app, especially if the app comes from a reputable G2000 company and they downloaded it from the Apple or Google Play app store—or even directly from their employer. What could possibly go wrong?
Well, evidently there’s a lot that can go wrong. SSL vulnerabilities in the Android and iOS ecosystems and the man-in-the-middle (MITM) attacks they enable are exposing consumers’ banking credentials, health information, and other personal information. What’s even scarier is that SSL vulnerabilities are prevalent in many of today’s most popular mobile apps as was recently uncovered by university researchers. The study found Android vulnerabilities that enabled the researchers to hack personal information such as usernames and passwords, social security numbers, and steal check images from popular mobile apps with the following success rates:
92% for Gmail
83% for Chase
92% for H&R Block
86% for Newegg
85% for WebMD
83% for Hotels.com
48% for Amazon
FireEye also recently published data that reported security flaws in the most commonly downloaded Android apps and found that a significant number of the apps are susceptible to MITM attacks. FireEye reported that as of July 2014, out of the 1,000 most downloaded apps in the Google Play store, 73% of the apps that use SSL/TLS to communicate with a remote server do not check certificates. And of the 10,000 random apps in the Google Play store, 40% do not check server certificates, exposing data they exchange with their servers to potential theft.
It wasn’t too long ago that MITM attacks emerged as a major threat to web-based, online transactions, and now we see that MITM attacks are increasingly becoming more widespread for mobile apps. Mobile apps, just like websites, use the same method to secure communications—SSL/TLS. However, SSL certificate validation is not trivial. Mobile apps often do not implement SSL validation correctly, making them vulnerable to active MITM attacks. For example, an attacker can substitute a legitimate SSL certificate with one under his control and view data exchanged between the mobile device and remote server or manipulate private information submitted by the user.
Enterprises that are developing or are otherwise responsible for mobile apps deployed to their end users—consumers, customers, or clients—should fix these security vulnerabilities. It’s up to IT security teams to ensure that user convenience never trumps the security of private consumer data.