Mobile Traffic Inspection
Intercepting mobile app traffic revealed hardcoded API keys, insecure data storage, and lack of certificate pinning.
Overview
Mobile applications often communicate with backend APIs to send and receive data. Without proper security controls, this traffic can be intercepted, modified, or analyzed by attackers, leading to data breaches, account takeover, and API abuse.
Type: Insecure Communication
Affected: Android & iOS Applications
Impact: Data exposure, API key theft
CVSS: 8.8 (Critical)
Affected: Android & iOS Applications
Impact: Data exposure, API key theft
CVSS: 8.8 (Critical)
The Vulnerability
During mobile application security assessments, we discovered that many apps lack basic security controls for network communication. By setting up a proxy and installing a custom CA certificate, we could intercept all HTTPS traffic between the mobile app and its backend servers.
Technical Details
The main issues identified were:
- No Certificate Pinning: Apps accepted any valid certificate, allowing MITM attacks
- Hardcoded API Keys: Sensitive keys embedded in the app code
- Plaintext Sensitive Data: Authentication tokens, PII sent without encryption
- Weak Authentication: API endpoints lacked proper authorization
// Hardcoded API keys found in decompiled app public class APIConfig { public static final String API_KEY = "sk_live_1234567890abcdef"; public static final String SECRET = "supersecretkey123"; public static final String DATABASE_URL = "mongodb://admin:password@cluster.mongodb.net"; }
Attack Scenario
- Attacker sets up a Wi-Fi hotspot with a proxy (Burp Suite, mitmproxy)
- Victim connects to the network and uses the mobile app
- Attacker intercepts all HTTPS traffic between app and server
- Sensitive data like authentication tokens, personal info, API keys are captured
- Attacker uses stolen credentials/keys to access backend systems
// Intercepted traffic showing sensitive data POST /api/login HTTP/1.1 Host: api.vulnerable-app.com Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... { "userId": "user_12345", "email": "victim@example.com", "creditCard": "4111111111111111", "cvv": "123", "apiKey": "sk_live_abcdef123456" }
Real-World Impact
- Theft of API keys leading to unauthorized access and financial loss
- Exposure of user credentials and personal information
- Account takeover across multiple services (credential reuse)
- Financial fraud through stolen payment information
- Reputational damage and regulatory fines (GDPR, CCPA)
Root Cause
- Lack of certificate pinning implementation
- Hardcoded secrets in client-side code
- No encryption for sensitive data in transit
- Missing API security controls (rate limiting, authentication)
- Insufficient security testing before release
Remediation
- Implement Certificate Pinning: Pin your server certificates in the app
- Never Hardcode Secrets: Use secure backend storage or key management services
- Encrypt Sensitive Data: Use strong encryption for data at rest and in transit
- Implement Strong Authentication: Use OAuth2, JWT with short expiration
- API Security: Validate all requests, implement rate limiting
- Regular Security Testing: Perform penetration testing before releases
// Secure implementation with certificate pinning // Android Network Security Config <network-security-config> <domain-config> <domain includeSubdomains="true">api.secure-app.com</domain> <pin-set> <pin digest="SHA-256">base64EncodedPublicKey1=</pin> <pin digest="SHA-256">base64EncodedPublicKey2=</pin> </pin-set> </domain-config> </network-security-config> // Secure API key storage (Android Keystore) KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore"); keyStore.load(null); SecretKey key = (SecretKey) keyStore.getKey("api_key", null);
Timeline
- October 2023: Discovered during mobile app assessments
- November 2023: Disclosed to app developers
- December 2023: Patches released with certificate pinning
- January 2024: Public disclosure and best practices guide