You may have heard about the “goto fail” vulnerability in Apple iOS and OS X that was recently discovered. A bug in Apple’s SSL code allowed improper certificates to be trusted by apps, allowing man-in-the-middle attacks. Aldo Cortesi, a security researcher in New Zealand, was able to modify a proxy to use the improper certificate to capture all data traffic from an iOS device (http://corte.si/posts/security/cve-2014-1266.html). Using this method, data from almost any app on the iPhone or iPad can be captured without the user being aware.
Apple quickly issued patches to address these vulnerabilities for both iOS and OS X (http://support.apple.com/kb/HT6147), but one must be proactive when it comes to securing data, especially on mobile apps.
The app wrapping capabilities in Symantec App Center allow you to enforce strong encryption for both data at rest and in transit. I tested the SSL cipher restriction feature against the SSL exploit on iOS and found that it blocked the connection to the server using the tampered certificate.
This is the native Safari browser on iOS 7.0.2 visiting the SSL exploit test page: https://www.imperialviolet.org:1266
This is a third party web browser app visiting the same site without any app wrapping protection:
This section of the app policy in App Center requires a trusted certificate with a strong cipher:
The same third party web browser app was wrapped using the above policy and visited the same site:
Applying additional data security using Symantec’s app wrapping technology can protect your apps against unknown threats, including man-in-the-middle attacks. Adding this security is easy and can protect your data where it’s needed most.