Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Mobility Community Blog

Protect against "Goto fail" SSL exploit in mobile apps

Leverage Symantec app wrapping to require strong encryption
Created: 26 Feb 2014 • Updated: 05 Mar 2014
adamli9's picture
+5 5 Votes
Login to vote

You may have heard about the “goto fail” vulnerability in Apple iOS and OS X that was recently discovered.  A bug in Apple’s SSL code allowed improper certificates to be trusted by apps, allowing man-in-the-middle attacks. Aldo Cortesi, a security researcher in New Zealand, was able to modify a proxy to use the improper certificate to capture all data traffic from an iOS device (http://corte.si/posts/security/cve-2014-1266.html).  Using this method, data from almost any app on the iPhone or iPad can be captured without the user being aware.

Apple quickly issued patches to address these vulnerabilities for both iOS and OS X (http://support.apple.com/kb/HT6147), but one must be proactive when it comes to securing data, especially on mobile apps.

The app wrapping capabilities in Symantec App Center allow you to enforce strong encryption for both data at rest and in transit.  I tested the SSL cipher restriction feature against the SSL exploit on iOS and found that it blocked the connection to the server using the tampered certificate.

This is the native Safari browser on iOS 7.0.2 visiting the SSL exploit test page: https://www.imperialviolet.org:1266

IMG_0030.PNG

This is a third party web browser app visiting the same site without any app wrapping protection:

IMG_0032.PNG

This section of the app policy in App Center requires a trusted certificate with a strong cipher:

SSLPolicy.png

The same third party web browser app was wrapped using the above policy and visited the same site:

IMG_0034.PNG

Applying additional data security using Symantec’s app wrapping technology can protect your apps against unknown threats, including man-in-the-middle attacks. Adding this security is easy and can protect your data where it’s needed most.