This week domain registrar and web hosting company GoDaddy revealed the introduction of a bug into their domain validation processing system in July 2016. The flaw could have resulted in forged certificates issued to an individual for a domain they don’t own, and highlights security challenges inherent in mobile apps’ dependence on third-party services and components.
For example, a malicious individual could have acquired a forged certificate for the domain of a back-end server that supports a mobile app’s functionality, allowing them to execute a man-in-the-middle (MITM) attack on the app.
A commenter states that in some cases, “Due to a common misconfiguration, customers sharing a bulk host can often answer HTTPS requests for other people’s sites that haven’t for whatever reason enabled SSL yet. GoDaddy’s validation method as described would be vulnerable to this problem.”
According to the report, 8,850 certificates were issued without proper domain validation. The company said they were not aware of any compromises related to the bug and that the incident was resolved by re-validating affected certificates and revoking those that couldn’t be verified.
Forged certificates and mobile app security risks
The purpose of this blog post is not to exaggerate the threat of this incident. The objective is to examine the bug’s impact on mobile apps, remind enterprises and developers of the dangers of MITM attacks, and explain the importance of certificate pinning. Based on what we can gather, enterprises and developers that implement certificate pinning in their apps would have mitigated the risk of an MITM attack in the event an attacker got their hands on a forged GoDaddy certificate associated with the app’s back-end domain.
Exploiting this bug to compromise communications between a mobile app and its associated back-end would be multi-phased and time-intensive (i.e., difficult). But, a forged certificate issued as a result of this bug could be used to intercept traffic even from apps that implement TLS properly, if those apps don’t also implement certificate pinning.
How many mobile apps talk to servers that use GoDaddy certificates?
NowSecure Director of Research David Weinstein was curious to see how many mobile apps talk to servers that use certificates issued by GoDaddy. In a sample of iOS app security assessments gathered from the NowSecure mobile app intelligence engine, David found that 578 (25 percent) of 2,300 iOS apps assessed talked to at least one server that presents a GoDaddy certificate.
“While the analysis doesn’t mean any one of these servers is using a bad certificate, it shows how many services use GoDaddy-generated certificates and how easy it might be to potentially miss a bad one,” David said
Managing and validating certificates to reduce mobile security risk
A user doesn’t much care who’s at fault when their personal data is compromised. If information you’ve collected about them through your branded mobile app is compromised, guess who takes the blame? That’s right — your brand.
To protect your app against MITM attacks springing from forged certificates, consider the following guidance with regard to your mobile apps:
- Don’t accept self-signed certificates
- Don’t set a permissive host-name identifier
- Implement proper certificate validation
- Fully validate certificates presented to the app and ensure they’re signed by a trusted root CA
- Verify that the hostname (Common Name or CN) listed on the certificate matches that of the host with which the app intends to communicate
- Implement certificate pinning
- Perform a security assessment, that includes dynamic analysis, of your app prior to deployment to check for MITM attacks and other vulnerabilities
Learn more about certificate validation and certificate pinning in Android and iOS apps by reading the NowSecure Secure Mobile Development Best Practice “Fully validate TLS”.
In sum, you need to perform due diligence when selecting the third-party services and components you include in your app. You should also institute a process whereby you regularly assess your mobile apps and back-end services for new vulnerabilities and flaws that might put you at risk. Read more about how to do this by building and managing a mobile app security program.