19 October 2017
Mike Lynch

86325

Mike Lynch - InAuth

5Posts 32,144Views 0Comments
Information Security

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

Overcoming Vulnerabilities In TLS

28 February 2017  |  4677 views  |  0

Recently Sudo Security Group uncovered something shocking about a range of popular applications available for download in the Apple's iOS Store. While performing research for their security tool verify.ly, the team discovered 76 of them had the same security hole. Further, according to estimates from Apptopia, a provider of mobile app data and insights, these insecure applications had been downloaded by users across the globe approximately 18 million times.

The vulnerability that fraudsters can exploit involved the apps’ use of Transport Layer Security (TLS). Configured improperly by app developers, it left encrypted communications transmitted by the protocol open for interception by man-in-the-middle attacks.

Without proper security, these man-in-the-middle attacks could be conducted by any party within Wi-Fi range of a mobile device while it is in use. On a more technical level, these apps could be tricked by a forged certificate sent by proxy. This security hole presents a real threat to any bank, insurer, healthcare company, merchant, or other business needing to protect its mobile app communications.

Fortunately, in 33 of the applications, the risk of important data being compromised was low while 24 of them were found to be of medium risk. These apps were disclosed and named publicly. The remaining 19 apps handled high risk user data and, therefore, were not publicly disclosed but their creators were notified.

Unfortunately, this insecurity in the TLS protocol is not a new development. Rather, it is a recurring theme in the many applications that use it. In fact, even apps specifically designed to meet security needs sometimes misapply its use. In 2015, a two-factor authentication provider disclosed that a version of their iOS application was itself vulnerable to compromise due to a flaw in TLS configuration.

What’s going on here? Frankly, a lot of complexity.  The current way to avoid problems in the TLS protocol is through the use of hard-coded “pinned” certificates. This blocks the use of forged certificates by fraudsters. Unfortunately, the use of these pinned certificates is not always practical for app developers. For this reason, Apple has been encouraging developers to use App Transport Security (ATS) for transmitting data securely instead.

Yet, the use of ATS does not, by itself, obviate the potential for phony certificates. The underlying problem is inherent in TLS. In theory, the TLS certificate system should provide a formidable layer of defense against fraud. Implemented correctly using pinning, the certificates can properly validate the identity of the host application and enable a secure connection.

However, in practice, the inherent complexity of TLS certificate implementation deviates from computer security best practices, creating security holes. TLS incorporates a considerable amount of complexity in certificate deployment and certificate usage. Often, the complexity is so onerous that it precludes practical deployment.

What mobile app developers need is a single, stable, and secure platform for authenticating the identities of the communicating parties involved. TLS attempts to achieve this through the use of certificates digitally signed by a trusted Certificate Authority but this coordination between multiple parties to authenticate communicators creates issues.

Fortunately, there are advanced digital security solutions which properly handle certificate pinning in the background of mobile apps so developers never have to think about it. These programs ensure the certificate is encrypted, cannot be intercepted, replaced, or altered, and properly pin it to ensure all customer sessions are secure.

Most importantly, because these solutions address the cryptographic issues within the app, it frees up programmers to focus solely on app development. The development team merely needs to install the out-of-box solution. Done this way, these services transparently address the security issues and protect communication within the app against unauthorized interception, disclosure, modification, or replay.

 

TagsSecurityMobile & online

Comments: (0)

Comment on this story (membership required)

Latest posts from Mike

Do Biometrics Keep You Safe? Yes...and...No

04 October 2017  |  4715 views  |  0 comments | recomends Recommends 0 TagsSecurityMobile & online

Mobile Malware Targeting Banks

20 June 2017  |  7475 views  |  0 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupOnline Banking

Malware: The Hidden Threat to Your Mobile Device

31 March 2017  |  8924 views  |  0 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupOnline Banking

Attack of the Bots

23 March 2017  |  6354 views  |  1 comments | recomends Recommends 0 TagsSecurityGroupInformation Security

Overcoming Vulnerabilities In TLS

28 February 2017  |  4677 views  |  0 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInformation Security

Mike's profile

job title Chief Strategy Officer
location Boston
member since 2017
Summary profile See full profile »
Michael Lynch serves as Chief Strategy Officer, where he is responsible for leading InAuth's new products strategy, along with developing key domestic and international partnerships.

Mike's expertise

Member since 2016
0 posts0 comments
What Mike reads
Mike writes about
SecurityMobile & online

Who's commenting on Mike's posts