Have you ever second guessed yourself on just how safe your personal data is, especially after giving permission to apps to collect data on you mobile device? According to a recent study, you might be right to feel wary.
Three University of Hong Kong researchers discovered that out of the 600 top U.S and Chinese Android mobile apps that use OAuth 2.0, “41.2 percent of the apps they tested were vulnerable to their outside attack.” Threatpost reports that some of these apps “have been downloaded hundreds of millions of times and can be exploited for anything from free phone calls to fraudulent purchases.”
Just how are weaknesses being exploited? Researchers note that since OAuth 2.0 does not define “security requirements,” mobile app have improperly used and proliferated customized API extensions used for SSO purposes. The lack of security within these applications allows malicious users to “man-in-the-middle proxy,” which then allows the attacker to monitor the inbound and outbound traffic, enabling the attacker to hijack the connection and sign in using their own credentials. To learn more about man in the middle attacks click here.
Fortunately, there are ways to mitigate such malicious attacks thorough a technique called SSL Pinning. Jay Graves of POSSIBLE Mobile describes SSL pinning simply as “making sure the client checks the server’s certificate against a known copy of that certificate,” which allows for a trusted connection.
Popular apps such as Facebook utilize SSL pinning in order to keep users information safe and secure.
More information on SSL pinning, read this guide.