Mitigating man-in-the-middle attacks on smartphones – a discussion of SSL pinning and DNSSec
Originally published in the Proceedings of the 12th Australian Information Security Management Conference. Held on the 1-3 December, 2014 at Edith Cowan University, Joondalup Campus, Perth, Western Australia.
Since their introduction, smartphones remain one of the most used handheld devices and this trend is predicted to continue in the coming years. Consequently, the number of attacks on smartphones is increasing exponentially; current market research shows that data traffic generated by smartphones will escalate by tenfold in 2019. Such an increase in traffic indicates that the smartphone industry will remain an attractive target for attackers. Whilst smartphone users are aware of the benefits of installing antivirus applications for malware evasion, they have limited knowledge on how to mitigate MiTM attacks. Furthermore, application developers do not always consider implementing appropriate security checks as an important step during the development stage.
In this paper, we describe MiTM attacks based on SSL and DNS and provide a discussion on how they can be mitigated using SSL Pinning and DNSSec. We complete our discussion on mitigation of MiTM attacks by including challenges, limitations and recommendations for application developers and smartphone users. In particular, we suggest that application developers pass a certification test regarding their use of SSL Pinning and/or DNSSec.