The Startup
Published in

The Startup

Prevent Mobile Phishing Without Coding

How to use SSL Certificate Validation & Certificate Pinning to Prevent Phishing

What is Mobile Phishing?

Mobile Phishing is a cybercrime in which an attacker impersonates a legitimate/trusted institution and uses social engineering techniques to trick mobile users into doing what the hacker wants. The goal of phishing is usually either to trick mobile users into providing sensitive information (e.g. PII, username/password, SS #, banking details, credit card info, etc) or to download/install malware (for example using a fake app, or clone, or malware embedded inside a legitimate app). There are many many different forms and variants of phishing, such as spearphishing (high-value targets, usually execs), vishing (voicemail based), smishing (SMS based), and much more. Phishing is one of the most versatile and reliable attack methods of all time, and it’s often used as a raw material in blended attacks (such as MitM attacks, ransomware, malware/trojan propagation, session hijacking, etc). You can think of phishing as a ‘swiss-army-knife’ of cybercrime, except that phishing actually works! CSO Online published a nice article on the Top 14 Real-World Phishing Attacks, so you can get a feel for just how practical, versatile, reliable, and lucrative Phishing can be to a hacker.

Pharming is a variant of phishing in which the mobile user’s session is redirected to a fake, malicious website. For example, instead of my bank resolving to x.x.x.1, my bank now resolves to x.x.x.2 which is really the attacker’s fake bank site made up to look like my bank’s site.
There are some pretty creative ways for pharming & phishing to work such as DNS Spoofing also called Cache Poisoning. Regardless of the method, once the user connects to the malicious site, the attacker attempts to harvest sensitive information.

What is Certificate pinning?

Certificate Pinning is the process of embedding a mobile app with valid SSL certificate for known trusted servers. An application which pins a certificate or public key no longer depends on external elements — (such as DNS or intermediate/public certificate authorities) — when making security decisions relating to a peer server’s identity. In mobile, the most common form of certificate pinning is embedding the server certificates inside the mobile app to ensure that the server certificate is always trusted. This will prevent hackers from presenting modified fraudulent certificates to the mobile app in an attempt to redirect the mobile user to a malicious site.SSL certificate validation helps to ensure that the SSL certificate files that link details about an organization with a cryptographic key are valid. SSL certificate validation helps ensure your app is using an authentic certificate. It can further go on to pin or link a host to a certificate on your app so that a mismatch, such as in the case of a pharming attack, will generate an alert or trigger another action based on how you implement the feature on Appdome.

SSL Certificate validation and pinning can be used together to combat mobile pharming by determining “yes” the certificate is authentic and “yes” the expected host is the host that the app is connected to. If it doesn’t match, the app should alert the user. For a deeper dive on certificates and certificate pinning, check out this video on MitM attacks.

How to Add Certificate Validation and Certificate Pinning in Any Mobile App without Coding

Appdome’s no-code security build system enables developers and security folks to implement their choice of Mobile App Security features (including SSL Cetificate Validation Certificate Pinning and many other features) in any iOS or Android app in minutes, without coding. This prevents mobile Phishing and Pharming by always ensuring that the SSL/TLS certificate of the server is valid and has not been tampered with by attackers.

When you build a mobile app with SSL certificate validation, the app’s SSL certificates are validated to ensure they are authentic every time a connection attempt occurs. If the certificate validation fails, e.g. because of a fraudulent certificate, the session will be blocked or dropped, and a notification will be displayed to the mobile app user.

In addition, you can also add certificate pinning to any app for additional protection. This is the process of linking a host to a specific certificate or a CA (Certificate Authority). Pinning helps to ensure that that destination matches the originally pinned certificate your app expects and that the certificate has not been forged. This is also useful for attacks where sessions terminate on a malicious proxy as part of a Mobile MitM attack (aka: Man-in-the-Middle attack).

Mobile developers can implement certificate pinning by itself or in combination with other security features, such as anti-tampering, data-at-rest encryption, or code obfuscation — all without any coding or development effort. This enables developers to increase the security of their apps and build a layered defense in minutes, all within thier existing app lifecycle and dev workflows.

Thanks for reading! To learn more about how to add security protections to mobile apps without coding, visit our Dev+Sec blog.

Drop me a line with any comments!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
AlanB

AlanB

ALAN BAVOSA is VP of Security Products at Appdome, a no-code mobile app security and development platform.