Time and again we see evidence that the importance of machine identities to security is severely under-acknowledged. A new investigation by IOActive reveals that most mobile apps for stock trading are not entirely secure and could potentially allow a hacker to hijack the communications of the mobile apps. (More about that later) But this potential oversight is not altogether surprising. With rigid SLAs and compressed timelines for continuous development, security is just not top of mind for developers.
Here’s the simple security step that most developers aren’t thinking about. Machines talk to other machines, whether they are servers, laptops, applications or mobile devices. Those communications must be secure. Encryption gives users the assurance that their machine is communicating with the machine it should be talking to and that those communications are secure from eavesdropping. Keys and certificates are the tools that the machine uses to validate the machine identities on both sides of the communications.
Here’s where it gets nasty. If you allow your machine’s identity to become compromised, you run the risk of a stranger taking control of your machine, impersonating you and doing things you probably don’t want them to be doing. Much of the mobile app world (and others) just don’t seem to realize the impact of loosely controlled machine identities. That was certainly the case with the majority of stock trading apps investigated by IOActive.
IOActive researcher Alejandro Hernández looked at 21 leading stock trading apps and found that 68% of Android and iOS apps failed to validate SSL certificates. What does this mean and why is it serious? Naked Security breaks it down, “When you engage in a secure connection using HTTPS you’re given a public key by the system you’re connecting to and that key is signed by a digital certificate that identifies them. Anyone can create a certificate but unless the details in it have been vouched for by a CA (Certificate Authority) it’s deemed untrustworthy.” What’s the impact? “If apps don’t bother to check if a CA has vouched for a certificate then all bets are off. Any certificate could be presented, by anybody, without setting off any alarms.”
Granted, it is a bit surprising that certificate security could be so lax for apps that have so much potential financial impact. But it becomes downright alarming when you remember that this is not our first time down this road. The industry should have learned its lesson when banking apps faced similar problems with online banking security in 2013. At that time, IOActive found that 40% of iOS banking apps accepted TLS certificates without validating them. (Even two years later IOActive discovered that 12.5% of banking apps still did not validate certificates.)
If an app does not properly validate a certificate, it opens the door to security risks such as man-in-the middle attacks and increases the likelihood of users accessing phishing sites.
It appears that we have hit snooze one too many times on the certificate security wake up call. It’s past time that we realized the importance of protecting machine identities, especially for apps that support the financial industry. One way to improve that awareness is to build certificate management into the development process. DevOps automation is one tactic that will help ensure that proper certificate security measures are not overlooked.
How secure are the apps that your enterprise relies on? Can you track and validate mobile certificates?