Insecure Communication

M2: Insecure Communication is a category that covers various types of flaws that allow attackers to intercept, modify, or steal the data or messages that are exchanged between mobile applications and other systems or services. Communication is the process of sending and receiving information or commands over a network, such as the internet or a wireless connection. For example, when you use your banking app to check your balance or transfer money, you are communicating with the bank’s server.

Insecure communication can happen when mobile applications do not protect or encrypt the data or messages that they send or receive over the network. For example, some common flaws are:

Unencrypted communication: Some applications use plain text or clear text protocols (such as HTTP or FTP) to communicate with other systems or services, which means that anyone who can access the network can see or capture the data or messages in their original form.
Weak encryption: Some applications use encryption protocols (such as HTTPS or SSL) to communicate with other systems or services, but they use weak or outdated encryption algorithms (such as DES or MD5) or keys (such as 64-bit or 128-bit) that can be easily broken or cracked by attackers.
Improper certificate validation: Some applications use encryption protocols (such as HTTPS or SSL) to communicate with other systems or services, but they do not check if the certificates (which are like digital IDs) that they receive from the other parties are valid or trustworthy. They might accept self-signed certificates, expired certificates, revoked certificates, or certificates from unknown sources.
Man-in-the-middle attacks: Some applications use encryption protocols (such as HTTPS or SSL) to communicate with other systems or services, but they are vulnerable to man-in-the-middle attacks, where an attacker inserts himself between the two parties and intercepts, modifies, or redirects the data or messages without their knowledge.

These flaws can lead to serious consequences, such as data leakage, data tampering, data injection, phishing, spoofing, etc. Therefore, it is very important for mobile applications to implement and enforce secure communication mechanisms, such as:

Encryption: Applications should use secure and up-to-date encryption protocols (such as HTTPS or TLS) and algorithms (such as AES or SHA) and keys (such as 256-bit or 512-bit) to encrypt the data or messages that they send or receive over the network.
Certificate validation: Applications should check if the certificates that they receive from other systems or services are valid and trustworthy. They should only accept certificates that are issued by trusted authorities (such as VeriSign or DigiCert), that are not expired or revoked, and that match the domain name of the other party.
Certificate pinning: Applications should use certificate pinning techniques to prevent man-in-the-middle attacks. Certificate pinning is a process of storing and verifying the expected certificate of a specific system or service on the device. If the received certificate does not match the expected one, the communication is aborted.
Secure coding practices: Applications should follow secure coding practices to prevent communication flaws. For example, they should use secure libraries and frameworks (such as OkHttp or Retrofit) to handle network operations, they should avoid hardcoding sensitive information (such as keys or passwords) in the code, they should sanitize and validate user input and output data, etc.

I hope this explanation helps you understand what M2: Insecure Communication is and why it is important. If you want to learn more about this category and how to prevent it, you can check out these resources:

[M2-Insecure Communication | OWASP Foundation]: The official website of the OWASP Mobile Top 10 project. It contains detailed information about this category and links to other useful resources.
[Mobile App Security: How To Secure Your Mobile App Data In Transit]: A blog post that provides an overview of the best practices for mobile app security in transit.
[Mobile App Security Testing | Cybrary]: A course that teaches you how to test and secure mobile applications against various security risks.

PreviousInsecure Authentication/Authorization NextInadequate Supply Chain Security

Last updated 1 year ago

Insecure Communication

Insecure communication can happen when mobile applications do not protect or encrypt the data or messages that they send or receive over the network. For example, some common flaws are:

Unencrypted communication: Some applications use plain text or clear text protocols (such as HTTP or FTP) to communicate with other systems or services, which means that anyone who can access the network can see or capture the data or messages in their original form.
Weak encryption: Some applications use encryption protocols (such as HTTPS or SSL) to communicate with other systems or services, but they use weak or outdated encryption algorithms (such as DES or MD5) or keys (such as 64-bit or 128-bit) that can be easily broken or cracked by attackers.
Improper certificate validation: Some applications use encryption protocols (such as HTTPS or SSL) to communicate with other systems or services, but they do not check if the certificates (which are like digital IDs) that they receive from the other parties are valid or trustworthy. They might accept self-signed certificates, expired certificates, revoked certificates, or certificates from unknown sources.
Man-in-the-middle attacks: Some applications use encryption protocols (such as HTTPS or SSL) to communicate with other systems or services, but they are vulnerable to man-in-the-middle attacks, where an attacker inserts himself between the two parties and intercepts, modifies, or redirects the data or messages without their knowledge.

Encryption: Applications should use secure and up-to-date encryption protocols (such as HTTPS or TLS) and algorithms (such as AES or SHA) and keys (such as 256-bit or 512-bit) to encrypt the data or messages that they send or receive over the network.
Certificate validation: Applications should check if the certificates that they receive from other systems or services are valid and trustworthy. They should only accept certificates that are issued by trusted authorities (such as VeriSign or DigiCert), that are not expired or revoked, and that match the domain name of the other party.
Certificate pinning: Applications should use certificate pinning techniques to prevent man-in-the-middle attacks. Certificate pinning is a process of storing and verifying the expected certificate of a specific system or service on the device. If the received certificate does not match the expected one, the communication is aborted.
Secure coding practices: Applications should follow secure coding practices to prevent communication flaws. For example, they should use secure libraries and frameworks (such as OkHttp or Retrofit) to handle network operations, they should avoid hardcoding sensitive information (such as keys or passwords) in the code, they should sanitize and validate user input and output data, etc.

[M2-Insecure Communication | OWASP Foundation]: The official website of the OWASP Mobile Top 10 project. It contains detailed information about this category and links to other useful resources.
[Mobile App Security: How To Secure Your Mobile App Data In Transit]: A blog post that provides an overview of the best practices for mobile app security in transit.
[Mobile App Security Testing | Cybrary]: A course that teaches you how to test and secure mobile applications against various security risks.

PreviousInsecure Authentication/Authorization NextInadequate Supply Chain Security

Last updated 1 year ago