Mobile Vulnerabilities Exposed: Data in Transit

Mobile Vulnerabilities Exposed: Data in Transit

Corellium’s Brian Robinson and Steven Smiley recently hosted a webinar on how threat researchers can use Corellium for mobile app testing to discover network related vulnerabilities. Watch the webinar now, or keep reading to learn more about exposing vulnerabilities in data in transit.

Why Is Mobile App Testing Difficult?

Two major limitations make mobile app testing difficult. First, it’s all about access. Your research is limited to the type of device you have access to and the specific OS version. Time is the final limitation, as many researchers sacrifice time managing devices rather than working on pen-testing.

Corellium solves these issues by offering you a virtualized platform of the exact device and OS. It also runs on the ARM platform and has the only hypervisor available. Corellium provides true mobile device modeling of a specific device, including telemetry, sensors, etc. You can also use snapshots to ensure you always have a ready to go device and allow for collaboration between users. All versions of the iOS are already jailbroken for easy access.

What Is Mobile App Network Traffic?

People login to applications, utilize various functionality, send messages, etc., and create volumes of network traffic. Data is transmitted across the network including between users as well as the application and the backend servers. One of the biggest concerns for mobile security researchers is data leakage. Data leakage occurs when sensitive data becomes accessible to unauthorized parties. It can leave users vulnerable to identity theft, fraud, or other types of attacks.

Many mobile apps are still leaking data. For example, some financial apps may expose data to the user that doesn’t need to be shown, or credit card or bank account numbers may not be masked correctly. Another concern is the exposed framework structure of the backend server or versions, which opens up additional attack vectors to targeted attacks.

Capturing Mobile App Network Traffic

You have various options available when capturing mobile app network traffic. You can begin by testing for things like:

  • Data that is not anonymized or masked.
  • How well is the data protected?
  • Is it vulnerable to a man-in-the-middle attack?
  • Testing the data between the client and server.

You can also take things further, and if you have security controls in place, find ways to complete pen testing effectively and shore up your app even more.

Analyzing Data in Transit

Use mobile app security best practices to evaluate your data in transit. Look for any sensitive values in plaintext being passed through HTTP. Consider upgrading to HTTPS to encrypt sensitive data and prevent exposure. Certificate validation and certificate pinning are other areas of protection for an apps mobile traffic.

Integrating Virtual Devices with Intercepting Proxies like Burp Suite

You may want to use a more complex tool, like Burp Suite, to analyze your data in transit. Corellium makes this easy: Connect to the virtual device using an openVPN configruation, start Burp and configure a proxy, and lastly, configure the proxy settings on the virtual device to send the traffic through your intercepting proxy.

After that, you’ll start seeing data traffic on Burp. Using Burp allows you to do more advanced analysis of data in transit, such as repeating traffic, modifying traffic, and any advanced fuzzing use cases.

Defeating Certificate Pinning Through Corellium's Network Monitor

Bypassing security controls can be accomplished via many different methods. The first and easiest method is using the Corellium built-in network monitor which by default attempts to bypass the implementation of certificate pinning to allow you to see application traffic without error. Additional options are available including using readily available dynamic scripts through Frida, objection framework and SSLKillSwitch. Beyond the dynamic portion there is the ability to use static techniques by patching out a mobile binary and re-signing.

It’s impossible to keep all attackers out forever, but you can take your app to the next level, making it much harder for attackers to intercept data in transit. With tougher mobile app security, hackers may move on to the next app because it’s too hard to hack yours.

Watch the full webinar on-demand to learn more about how to use Corellium for mobile app testing and advanced analysis of your app.