The number one source of TLS/SSL Man in the Middle (MitM) attacks on encrypted mobile traffic are not corporate firewalls or captive portals used by hotels, airports and other organizations offering free Wi-Fi access – it’s spyware.
“A big chunk of that spyware comes from companies that are mining user data, and users are usually not tricked into installing these apps. Unfortunately, users explicitly allow companies to monitor their phone usage for a meager compensation,” notes Doug Dooley, Chief Operating Officer at modern application security company Data Theorem.
This revelation comes from reports collected in the past 12 months via TrustKit, a plug-and-play open source SDK that simplifies the implementation of TLS (SSL) pinning in mobile apps. The SDK ensures that the client checks the server-side certificate against a known copy of that certificate and, thus, spots eavesdropping attacks.
TrustKit for Apple’s operating systems was created by Data Theorem and released in 2015. The Android version was made available a year later. It has since been added to over 3,000 applications and has identified more than 100 million eavesdropping attempts.
TrustKit allows developers to enable certificate pinning in their mobile apps quickly and painlessly and allows them to decide whether they want to:
- Monitor and alert on all eavesdropping attempts (passive mode)
- Actively block any eavesdropping attempt from a MitM attacker (active mode).
Judging by the quadrupling of the number of applications that have gone either from passive to active mode or straight to active mode in the past year, app developers seem to be increasingly comfortable with blocking compromised connections.
“They either did this before and they started using TrustKit to make their lives easier or they know exactly why they want to make the effort of implement TLS pinning and have a strong commitment to data privacy,” Dooley notes. “The latter is possibly due to compliance requirements: they need to prove that mobile communication/transactions are safe from potential eavesdroppers.”
About TrustKit Analytics
The security insights that the company has into the nature of these MitM attacks is a result of TrustKit sending reports about them to their server systems.
The company has also announced TrustKit Analytics, a new service that allows app developers to see where eavesdropping attempts on their users are happening based on geolocation data, as well as the attack source (spyware, corporate firewalls, insecure public Wi-Fi, unknown actors, etc.). Every time they put TrustKit into one of their apps, they get a new analytics dashboard on which they can see near real-time threat analysis.
That part of the service is free and always will be, says Dooley, but they also have a paid option to sign up for different kinds of protection alerts and trending reports.
For example, the SecOps team might want to be alerted when a spike of MitM attempts on their app is detected in some part of the world. Or, they might want to get an alert if someone tries to forge their SSL certificate during renewal, which could cause a denial-of-service (DoS) for all customers. These alerts can help them avoid mistakes and the loss of business due to avoidable downtime.
“To us TrustKit is a big deal because it’s the first time that we’ve tried to do something open source and free for the community and it has become extremely popular very quickly,” notes Dooley.
“It’s a win-win for everybody – for user and data privacy, for businesses that want to protect their brand, and for us as a company. If you’re an app developer that cares about security and you’re impressed by the quality of the things you’re getting from Data Theorem for free, you’re likely to wonder about the things you could get by using the company’s entire suite of security protection.”
About Data Theorem
Data Theorem was founded in 2013 by Himanshu Dwivedi, who recognized the rising importance of mobile computing and mobile application security when iSec Partners, the company he started before Data Theorem, was asked by Google to help secure their latest new acquisition: the Android mobile OS.
He also recognized the trends that make modern application development tricky from the security standpoint – the fast pace of development, the use of third-party and open source code, SDKs, APIs, and the fact that most of these apps sit on top of someone else’s cloud infrastructure.
“Open source is a reality that allows business to go faster and build applications with more agility,” says Dooley. “TrustKit is a perfect example. If every single app developer had to build TLS pinning capabilities from scratch, the cost, the time, the effort and the quality would vary a lot. So even some of the richest and engineering-filled organizations are leveraging TrustKit because they can look at the code quality and at the community around it and they know there’s a lot of vetting happening within this open source SDK project.”
But trusting that someone else is doing things right is not good enough, and that’s why Data Theorem also provides the means for verifying the security of the code (both written outside and inside the organizations) and APIs used by mobile applications.
The company can constantly analyze customer’s apps in various online app stores for static code issues, dynamic run-time flaws, vulnerable third-party SDKs, insecure open source libraries, and compliance gaps. Pre-production scanning is also possible and security issues are pushed straight into bug tracking systems such as JIRA. But, what’s most important, the company also supplies the secure code fixes to the application developers.
“That’s one of the things that the customers love about us. We actually provide the Objective C, the Java, the Swift code, so our customers can fix the issue quickly instead of just being bombarded with security issues from yet another security vendor,” Dwivedi explains.
Security testing without disruption
One of the company’s biggest wins is that they’ve been able to provide security testing without disruption.
“There’s no slowdown in the development process, security testing happens naturally, and that saves data, money and jobs. The best part of our job is when everything works in a highly automated fashion with little human intervention: our customers go about their normal day of business, we find issues before they hit public repositories, and they seamlessly fix the unearthed problems,” Dwivedi explains.
The company’s customers are many and varied: Adobe, Cisco, eBay, PayPal, GAP, Wildflower Health, Goldman Sachs and many others.
Evernote, which started using the company’s services in November 2014, can attest to their efficacy. Before, they relied solely on their internal security team, which didn’t have enough staff to manage the company’s rapid scale and application growth. Since partnering with Data Theorem, they have implemented nine app protection features, closed over a 100 security issues, and removed 17 harmful third-party libraries.
As one example, Dana Theorem helped the Evernote security team identify an analytics tracker that one of their product teams added to the code before it had been reviewed and approved. This saved the company from a potential privacy incident and having to notify its users about the issue.