Sign up to save your podcasts
Or
Share The Man-in-the-Middle Threat: Understanding and Preventing MitM
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
The Man-in-the-Middle Threat: Understanding and Preventing MitM
Episode Title: Securing Your Connection: A Guide to Preventing MitM AttacksEpisode Description: Man-in-the-Middle (MitM) attacks pose a significant threat to online security, allowing malicious actors to intercept and manipulate communications. This episode delves into what MitM attacks are, how they work, and crucial strategies for prevention, especially for mobile applications. We'll explore the evolving landscape of security measures, including the debate around certificate pinning.Episode Notes:
- What are Man-in-the-Middle (MitM) attacks?
- A MiTM attack occurs when a bad actor secretly inserts themselves between two connected parties to read, steal, manipulate, or forward exchanged data. These attacks are also known as "eavesdropping".
- The potential payoff for attackers can be significant.
- Popular targets include insecure networks, unencrypted websites, smartphones, and other smart devices.
- How do MitM attacks work?
- Attackers can monitor digital activities, conversations, and emails to steal sensitive information like login credentials, credit card numbers, and bank details.
- Once an insecure access point is found, the attacker positions themselves between the two communicating parties, with all transmissions passing through them in real-time.
- Example 1: Man-in-the-Mobile (MitMo) attack: A fraudster secretly reroutes text messages between two individuals, seeing all the content shared.
- Example 2: Malicious Wi-Fi Hotspot: Attackers create unsecured public Wi-Fi hotspots, often named similarly to legitimate locations, to intercept data from connected users.
- Common Types of MitM Attacks:
- Adversary-in-the-Middle (AitM): A malicious actor uses a reverse proxy to intercept user credentials and session tokens, often bypassing OTP-based multi-factor authentication. This is common in phishing attempts.
- Man-in-the-Browser (MitB): Attackers inject JavaScript into a user's browser (e.g., through malicious extensions or downloaded malware) to gain access to sensitive information and perform unauthorised actions.
- Man-in-the-Mobile (MitMo): Attacks target mobile devices through infected apps and phishing scams, allowing interception of communications and sensitive data, and in severe cases, remote device control. Sophisticated malware can even be installed without user interaction.
- DNS Spoofing: Attackers infiltrate a DNS server and alter website address records, redirecting users to the attacker's site.
- Wi-Fi Eavesdropping: Creating fake public Wi-Fi networks to intercept user activity and data.
- Email Hijacking: Cybercriminals intercept emails (e.g., between banks and customers) to spoof email addresses and send fraudulent instructions to the victim.
- Session Hijacking: Attackers steal information stored in web browser cookies, such as saved passwords.
- IP Spoofing: An attacker disguises themselves as an application by altering packet headers, redirecting users to a malicious website.
- Detecting Man-in-the-Middle Attacks:
- Be alert for any abnormal activity on your online accounts or devices (e.g., unfamiliar balances or activity).
- Use antivirus software to scan for malware.
- Inspect your Wi-Fi connection to ensure it is secure and not open.
- Only visit HTTPS sites you trust and verify the URL for accuracy and no typos.
- Be wary of suspicious certificates.
- Look out for unfamiliar or misspelled URLs in your browser's address bar.
- Be aware of network connections you don't recognise.
- Preventing Man-in-the-Middle Attacks:
- User Best Practices:
- Avoid connecting to Wi-Fi networks without password protection.
- Pay attention to browser warnings about unsecure websites and only trust encrypted connections (HTTPS).
- Log out of secure sites when you are finished.
- Avoid conducting sensitive transactions over public networks.
- Use a Virtual Private Network (VPN) for an added layer of security, especially on untrusted networks.
- Organisational Measures:
- Implement robust network security measures.
- Conduct regular employee training on recognising potential threats.
- Vet organisation emails to identify phishing attempts from external senders.
- Implement Multi-Factor Authentication (MFA).
- Consider Public Key Pair Based Authentication (FIDO).
- Utilise detection tools.
- User Best Practices:
- The Role of Certificate Pinning in MitM Prevention:
- TLS certificate pinning ensures a mobile app only trusts specific certificates, preventing attacks using rogue certificates.
- The app "pins" a specific certificate or public key during development.
- During API calls, the app verifies that the server's certificate matches the pinned certificate, rejecting the connection if it doesn't.
- Limitations of Static Certificate Pinning:
- Apps can break if the server certificate changes (e.g., due to expiration) unless the app is updated.
- Maintaining static pinning requires app updates every time the certificate changes, which can be impractical.
- Attackers can reverse engineer the app and modify the pinning logic.
- Tools like Frida and Xposed can be used to disable pinning checks at runtime.
- Attackers might force trust for their own certificates by modifying device trust stores.
- The Advantages of Dynamic Certificate Pinning:
- Securely updates certificate pins without requiring app updates.
- The app fetches the latest valid certificate pins from a remote attestation service at runtime.
- Stronger protection against reverse engineering as attackers cannot easily modify pinning logic without breaking attestation.
- Can defend against rooted devices and emulators through additional security checks.
- Allows for certificate rotation without app updates.
- Limits exposure if a certificate is compromised as pins change frequently.
- Makes it harder to extract expected certificates.
- Enables on-demand retrieval of valid certificates.
- Arguments Against Traditional SSL Pinning (circa 2025):
- Industry leaders like Google now advise against enabling SSL pinning in mobile applications.
- SSL pinning can lead to service disruptions due to certificate changes, requiring app updates and user adoption.
- It can be easily bypassed using tools like Frida and Xposed.
- Better alternatives include detecting proxies and debugging tools, leveraging device-fingerprinting techniques, and focusing on backend security decisions.
- Conclusion: A Multi-Layered Security Approach:
- Dynamic certificate pinning is a strong defence against mobile MitM attacks but should be part of a broader security strategy.
- A comprehensive approach includes encryption of all communications.
- Careful verification of TLS/SSL configurations, disabling older protocols and weak encryption algorithms.
- Considering VPNs for very high-risk scenarios.
- Implementing dynamic certificate pinning and mobile app attestation for end-to-end API protection.
- Using mobile app attestation to verify app integrity before allowing API access.
- Blocking rooted and jailbroken devices.
- Monitoring API traffic for anomalies.
- https://www.approov.io
- https://approov.io/mobile-app-security/rasp/dynamic-cert-pinning/
View all episodes
By Approov LimitedEpisode Title: Securing Your Connection: A Guide to Preventing MitM AttacksEpisode Description: Man-in-the-Middle (MitM) attacks pose a significant threat to online security, allowing malicious actors to intercept and manipulate communications. This episode delves into what MitM attacks are, how they work, and crucial strategies for prevention, especially for mobile applications. We'll explore the evolving landscape of security measures, including the debate around certificate pinning.Episode Notes:
- What are Man-in-the-Middle (MitM) attacks?
- A MiTM attack occurs when a bad actor secretly inserts themselves between two connected parties to read, steal, manipulate, or forward exchanged data. These attacks are also known as "eavesdropping".
- The potential payoff for attackers can be significant.
- Popular targets include insecure networks, unencrypted websites, smartphones, and other smart devices.
- How do MitM attacks work?
- Attackers can monitor digital activities, conversations, and emails to steal sensitive information like login credentials, credit card numbers, and bank details.
- Once an insecure access point is found, the attacker positions themselves between the two communicating parties, with all transmissions passing through them in real-time.
- Example 1: Man-in-the-Mobile (MitMo) attack: A fraudster secretly reroutes text messages between two individuals, seeing all the content shared.
- Example 2: Malicious Wi-Fi Hotspot: Attackers create unsecured public Wi-Fi hotspots, often named similarly to legitimate locations, to intercept data from connected users.
- Common Types of MitM Attacks:
- Adversary-in-the-Middle (AitM): A malicious actor uses a reverse proxy to intercept user credentials and session tokens, often bypassing OTP-based multi-factor authentication. This is common in phishing attempts.
- Man-in-the-Browser (MitB): Attackers inject JavaScript into a user's browser (e.g., through malicious extensions or downloaded malware) to gain access to sensitive information and perform unauthorised actions.
- Man-in-the-Mobile (MitMo): Attacks target mobile devices through infected apps and phishing scams, allowing interception of communications and sensitive data, and in severe cases, remote device control. Sophisticated malware can even be installed without user interaction.
- DNS Spoofing: Attackers infiltrate a DNS server and alter website address records, redirecting users to the attacker's site.
- Wi-Fi Eavesdropping: Creating fake public Wi-Fi networks to intercept user activity and data.
- Email Hijacking: Cybercriminals intercept emails (e.g., between banks and customers) to spoof email addresses and send fraudulent instructions to the victim.
- Session Hijacking: Attackers steal information stored in web browser cookies, such as saved passwords.
- IP Spoofing: An attacker disguises themselves as an application by altering packet headers, redirecting users to a malicious website.
- Detecting Man-in-the-Middle Attacks:
- Be alert for any abnormal activity on your online accounts or devices (e.g., unfamiliar balances or activity).
- Use antivirus software to scan for malware.
- Inspect your Wi-Fi connection to ensure it is secure and not open.
- Only visit HTTPS sites you trust and verify the URL for accuracy and no typos.
- Be wary of suspicious certificates.
- Look out for unfamiliar or misspelled URLs in your browser's address bar.
- Be aware of network connections you don't recognise.
- Preventing Man-in-the-Middle Attacks:
- User Best Practices:
- Avoid connecting to Wi-Fi networks without password protection.
- Pay attention to browser warnings about unsecure websites and only trust encrypted connections (HTTPS).
- Log out of secure sites when you are finished.
- Avoid conducting sensitive transactions over public networks.
- Use a Virtual Private Network (VPN) for an added layer of security, especially on untrusted networks.
- Organisational Measures:
- Implement robust network security measures.
- Conduct regular employee training on recognising potential threats.
- Vet organisation emails to identify phishing attempts from external senders.
- Implement Multi-Factor Authentication (MFA).
- Consider Public Key Pair Based Authentication (FIDO).
- Utilise detection tools.
- User Best Practices:
- The Role of Certificate Pinning in MitM Prevention:
- TLS certificate pinning ensures a mobile app only trusts specific certificates, preventing attacks using rogue certificates.
- The app "pins" a specific certificate or public key during development.
- During API calls, the app verifies that the server's certificate matches the pinned certificate, rejecting the connection if it doesn't.
- Limitations of Static Certificate Pinning:
- Apps can break if the server certificate changes (e.g., due to expiration) unless the app is updated.
- Maintaining static pinning requires app updates every time the certificate changes, which can be impractical.
- Attackers can reverse engineer the app and modify the pinning logic.
- Tools like Frida and Xposed can be used to disable pinning checks at runtime.
- Attackers might force trust for their own certificates by modifying device trust stores.
- The Advantages of Dynamic Certificate Pinning:
- Securely updates certificate pins without requiring app updates.
- The app fetches the latest valid certificate pins from a remote attestation service at runtime.
- Stronger protection against reverse engineering as attackers cannot easily modify pinning logic without breaking attestation.
- Can defend against rooted devices and emulators through additional security checks.
- Allows for certificate rotation without app updates.
- Limits exposure if a certificate is compromised as pins change frequently.
- Makes it harder to extract expected certificates.
- Enables on-demand retrieval of valid certificates.
- Arguments Against Traditional SSL Pinning (circa 2025):
- Industry leaders like Google now advise against enabling SSL pinning in mobile applications.
- SSL pinning can lead to service disruptions due to certificate changes, requiring app updates and user adoption.
- It can be easily bypassed using tools like Frida and Xposed.
- Better alternatives include detecting proxies and debugging tools, leveraging device-fingerprinting techniques, and focusing on backend security decisions.
- Conclusion: A Multi-Layered Security Approach:
- Dynamic certificate pinning is a strong defence against mobile MitM attacks but should be part of a broader security strategy.
- A comprehensive approach includes encryption of all communications.
- Careful verification of TLS/SSL configurations, disabling older protocols and weak encryption algorithms.
- Considering VPNs for very high-risk scenarios.
- Implementing dynamic certificate pinning and mobile app attestation for end-to-end API protection.
- Using mobile app attestation to verify app integrity before allowing API access.
- Blocking rooted and jailbroken devices.
- Monitoring API traffic for anomalies.
- https://www.approov.io
- https://approov.io/mobile-app-security/rasp/dynamic-cert-pinning/