Insufficient Transport Layer Protection
Insufficient Transport Layer Protection
Mobile applications frequently communicate over various networks, including unsecured public WiFi. Insufficient transport layer protection exposes data to interception and manipulation during transmission.
Common TLS/SSL Issues:
- Accepting all SSL certificates without validation
- Not implementing certificate pinning for sensitive applications
- Using outdated TLS versions
- Transmitting sensitive data over HTTP
- Weak cipher suites configuration
Man-in-the-Middle Attack Scenario: An attacker on the same network can intercept communications between the mobile app and server, potentially stealing credentials, session tokens, or sensitive data. They might also inject malicious responses to compromise the application.
Implementing Proper Transport Security:
// iOS - Certificate pinning implementation
class NetworkManager: NSObject, URLSessionDelegate {
func urlSession(_ session: URLSession,
didReceive challenge: URLAuthenticationChallenge,
completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
guard let serverTrust = challenge.protectionSpace.serverTrust,
let certificate = SecTrustGetCertificateAtIndex(serverTrust, 0) else {
completionHandler(.cancelAuthenticationChallenge, nil)
return
}
// Pin certificate
let serverCertData = SecCertificateCopyData(certificate) as Data
let localCertData = loadLocalCertificate()
if serverCertData == localCertData {
completionHandler(.useCredential, URLCredential(trust: serverTrust))
} else {
completionHandler(.cancelAuthenticationChallenge, nil)
}
}
}
// Android - Certificate pinning with OkHttp
import okhttp3.CertificatePinner;
import okhttp3.OkHttpClient;
CertificatePinner certificatePinner = new CertificatePinner.Builder()
.add("api.example.com", "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
.build();
OkHttpClient client = new OkHttpClient.Builder()
.certificatePinner(certificatePinner)
.build();