How to avoid MitM attacks on Apps
The Cryptographer’s Panel at RSA included Professor Dan Boneh of Stanford University, who sat down with Whitfield Diffie, Ronald Rivest, Adi Shamir to talk about the most common failures of mobile apps and SSL encryption algorithms. A lively discussion brought a special bit of attention to the use SSL/TLS within applications. In the conference panel Dan Boneh stated, “Many mobile apps fail to correctly validate the SSL certificate presented by the server they are communicating with.”
The problem is not the technology but its implementation. Implementing SSL within non-browser apps has been laid out to make it clear and easy for any user or developer within our white paper called “SSL for Apps: Best practices for developers”. “A Quick Guide to SSL for Apps” is a short read that features the checks developers should perform when building the chain of trust from End Entity through Intermediate to Root. As was pointed out, anyone who is implementing a cloud-based service still needs to verify the server-side certificate, and some do not know how to do that verification. Failure can allow a Man in the Middle attack or access to an untrusted site.
If you missed the panel, a replay is available here: http://www.youtube.com/watch?v=eKhudJCGoJc
Read about SSL for Apps and other white papers at our website: https://go.symantec.com/trustontheinternet