With the ubiquity of mobile devices in the enterprise and also exponential growth of rogue Wi-Fi networks, attackers are finding ways to get into devices and hence into enterprises via vulnerabilities posed by the apps. Making the apps secure is the need of the hour — at least the apps that are allowed to work on the enterprise network. It is also critical that enterprises secure their network from these infected personal devices. Not an easy task.
This article explains in detail how these infection vectors work and how a BYOD-enabled enterprise can mitigate against these risks. It also provides a few security tips for app developers to make sure that their apps are enterprise ready and close these vulnerabilities.
With the ubiquity of mobile everywhere, with very expensive data rates especially for roaming executives and employees, any free Wi-Fi seems like an oasis in the desert. Usually people don’t think twice before connecting their mobile devices to Wi-Fi networks at airports, cafes, bars, pubs, or any free community Wi-Fis. Unfortunately, like anything in this world, not all options are safe. Some are rogue networks set up for intrusive snooping; this is not just with the free Wi-Fis but unfortunately happens with the paid ones too.
Of course this is not new for the laptop world. We all connect our laptops to such Wi-Fi networks. But there is a difference in the mobile world.
Not all mobile apps are designed with security in mind. It is still very early in the market for app developers to put their money behind securing their apps.
App developers persistently change the URL of the server, cache the URL and also use non-secure protocols to talk to the server, thereby opening up multiple vulnerabilities. These are easy-to-pick-open vulnerabilities that attackers via free rogue Wi-Fis take advantage of, inserting their own URLs and taking control of the apps and their behavior. Now instead of loading data from the real site, the app will permanently start loading data from the attacker’s site. Such attacks are called man-in-the-middle attacks or also called an “HTTP request hijacking.”
All operating systems, be it Android, iOS or Windows Mobile, are susceptible to such attacks. These are not OS-based vulnerabilities but mainly app-based vulnerabilities. We found a significant portion of apps available through the official Apple App Store as well as Android play store having such vulnerabilities, which easily could be attacked this way.
The implications are multi-fold right from snooping on confidential and sensitive data and official or personal passwords to installing Trojans to using them later as Bots for DDoS attacks to advanced persistence threats (APTs).
Another issue in the mobile world is that these man-in-the-middle kinds of attack are much less visible to the victimized end user on mobile devices than on a laptop or desktop.
Advice for app developers
These are no easy ways to fix these vulnerabilities, but there are ways to mitigate these attacks from the app-development perspective. First and foremost app developers need to have a security angle to their development and use such frameworks for development. They also need to make sure they use an encrypted protocol for communication with their servers such as HTTPS instead of HTTP as well as a fixed URL reference in the app. It is even more critical to make sure the app doesn’t cache a 301-http-redirect-response for redirection.
Beyond the app developers, enterprises need to secure their business from such attacks. One way is to have a secure access mobile gateway (like i7’s Peregrine7), which ensures that no links or HTTP requests go to bad servers that enable such attacks. This prevents mobile devices and sessions from entering the corporate network, restricting the infection only to quarantined devices without making other devices susceptible. This will prevent such infections from intruding into the corporate network either to take advantage of other vulnerabilities or snoop on data in the network.
Enterprises should also use solutions with server lists specific to mobile attacks and that constantly check against blacklisted IPs to make sure there are no active attacks in the corporate network.
Manjunath M. Gowda, co-founder and CEO of i7 Networks, is a serial entrepreneur. He has held various positions in the software industry in his 20+ years of professional experience. Manju was the co-founder and CEO of S7 Software, which he ran successfully for six years before it was acquired in 2010 by Blue Coat Systems, a Calif.-based security company. Contact him at Manju.firstname.lastname@example.org or following him atTwitter @manju_s7 or LinkedIn: http://in.linkedin.com/in/manjunathgowda.