SSL in Mobile Apps?

How do users know if mobile app communications are secure?


Consumers are using mobile applications more and more these days; Shopping, Banking, Blogging etc.

The public have been informed about general security best practice for some time now, one of the simple and most common pieces of advice has been "check for the padlock". This has been trying to make people aware of encryption when doing internet based transactions which require/desire privacy.


OK, so most people still don't know what they are looking for, if people even care to check, they will look for 'https' and check that the padlock or address bar are green. Some may go as far as checking the certificate details.

Assuming that this is becoming a normal check performed by users to provide some self assurance that whatever they are doing is encrypted, how are users meant to be doing this for mobile apps?

Smart phone apps which are created with some sort of online functionality; banking apps, blogging apps, Facebook and Twitter etc. all communicate with the internet in the same (or very similar) way as they would through a web browser on your computer.

The issue with these apps is that there is no indication to the user about the status of the connection. I have been informing more 'technically impaired' friends and family for some time to "check for the padlock" when shopping and banking online. what can I tell them to do for their smartphone counterparts?


As you can see in the Amazon App above, there is no certificate/encryption information easily available. App developers may be aware of the risks of Man in the Middle attacks and other SSL based vulnerabilities and may have provided security fail-safes in the Apps to stop activity/communications is a known safe environment is not provided.

Yes there are ways to check the status of these connections e.g. connecting you mobile device to a WiFi network, taking a full capture of the comms and doing some protocol analysis. however, this is not in anyway a realistic solution, especially since it requires a lot of technical skill and knowledge.

This issue is present in all apps that I have been looking at on Android devices, including banking apps, shopping apps, app stores etc.

So what happens if there are certificate/encryption issues when using these apps?

Comments

Post a Comment

Popular posts from this blog

Did It Execute? AppCompatCache

Image
Application Compatability(or Shim) Cache The Application Compatibility Cache, which appears to be more commonly referred to as the ShimCache, is used by an element of windows dedicated to, yes you guessed it Application Compatibility. The basics concept of this feature is; when programs are written, they are usually compiled to work with the OS of the day. So as long as everything is as expected, the program runs, calls API's and the OS plays nice (round pegs in round holes). As you can imagine only a clairvoyant would know what changes were to be made in the future, and thus makes the likelihood of any programs being able to future proof themselves highly unlikely. The other problem that exists; is that current programs would be created with excess code to ensure they work on all other previous version. These both lead to the problem of the square peg to a round hole. Microsoft solved this problem for us, as they know what an API is calling and the differences be
Read more

PowerShell FILETIME conversion

I intend to write about the uses of PowerShell on live systems investigations at a later date, for now thought I thought it worth sharing a useful time conversion. If you come across a windows FILETIME and would like it in a human readable format, you can use the following via PowerShell: [DateTime]::FromFileTime(<FILETIME>) The Windows FILETIME is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). e.g. PS C:\> [DateTime]::FromFileTime(130689408926752346) 20 February 2015 21:21:32
Read more

Did It Execute? amcahce.hve

amcache.hve? I first came across this when looking into the AppCompatCache, as this file is located in a directory which you would think stores the AppCompatCache Data: <DRIVE>\Windows\AppCompat\Programs\Amcache.hve When researching the Windows Application Comparability however, I found no reference of this hive. Further research indicates it is part of Windows Application Experience and Compatibility features and replaced the RecentFilceCache.bcf file from Windows 8 onwards. Tools: https://github.com/EricZimmerman/AmcacheParser Reference: https://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html
Read more