Assessing Vulnerability of Mobile Messaging Apps to Man-in-the-Middle (MitM) Attack

摘要

Mobile apps are gaining in popularity and are becoming an indispensable part of our digital lives. Several mobile apps (such as messaging apps) contain personal/private information of the users. Inevitably, the compromise of accounts associated with such sensitive apps can result in disastrous consequences for the end user. Recently, Password Reset Man-in-the-Middle (PRMitM) attack was proposed at the application level in which an attacker can take over a user’s web account while the user is trying to access/download resources from the attacker’s website. In this work, we adapt this attack so that it can be applied in the context of mobile messaging apps. Specifically, we analyze 20 popular mobile messaging apps for vulnerability to MitM attack, 10 of which support secure communication through end-to-end encryption. Based on our holistic analysis, we have identified 10 of the tested apps as being vulnerable to MitM attack and elaborated on the corresponding attack scenarios. On comparing the secure messaging apps to non-secure messaging apps for vulnerability to MitM attack, we found that an app’s features and design choices decide if it is susceptible to MitM attack irrespective of whether it provides end-to-end encryption or not. Further, we have proposed design improvements to increase the overall security of all mobile messaging apps against MitM attack.