Mobile Top 10 2012 - M3 Insufficient Transport Layer Protection

Threat Agents	Attack Vectors	Security Weakness		Technical Impacts	Business Impacts
Application Specific	Exploitability DIFFICULT	Prevalence COMMON	Detectability EASY	Impact MODERATE	Application / Business Specific
When designing a mobile application, commonly data is exchanged in a client-server fashion. When this data is exchanged it traverses both the carrier network and the internet. For sensitive data, if the application is coded poorly, users local to your network, any devices (routers, cell towers, etc), or other threat agents can use techniques to view this sensitive data while it's travelling across the wire.	The exploitabilty factor of monitoring a network for insecure communications ranges. Monitoring traffic over a carriers network is harder than that of monitoring a local coffee shops traffic. In general targeted attacks are easier to perform.	Unfortunately, mobile applications frequently do not protect network traffic. They may use SSL/TLS during authentication, but not elsewhere, exposing data and session IDs to interception. Detecting basic flaws is easy. Just observe the site’s network traffic. More subtle flaws require inspecting the design of the application and the server configuration.		Such flaws expose individual users’ data and can lead to account theft. If an admin account was compromised, the entire site could be exposed. Poor SSL setup can also facilitate phishing and MITM attacks.	Consider the business value of the data exposed on the communications channel in terms of its confidentiality and integrity needs, and the need to authenticate both participants.

Am I Vulnerable To Insufficient Transport Layer Protection?

Am I Vulnerable Description

How Do I Prevent Insufficient Transport Layer Protection?

How do I prevent

Example Scenarios

References

Mobile Top 10 2012 - M3 Insufficient Transport Layer Protection

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools