Cybercriminals target mobile applications with fake SSL Certificates

Pierluigi Paganini February 14, 2014

Cybercriminals targeting mobile applications with fake SSL Certificates to run man-in-the-middle attacks against the affected companies and their customers.

There is the wrong conviction that SSL certification user can protect users from be tricked to visit a fake website. Netcraft has uncovered numerous attacks based on fake SSL certificates used to impersonate online banking websites, ecommerce , ISPs and social network platforms. The fake certificates could be delivered to run man-in-the-middle attacks against the affected companies and their customers, the offensives allow attackers to decrypt legitimate traffic before re-encrypting it and forwarding it to the victim’s website.

To conduct a man-in-the-middle attack and to intercept the communications, the attacker must be on the same network of the victim, it is simply to satisfy this condition, for example setting up a fake wireless Access Point (AP).

These attacks are really insidious because both site owners and clients have no perception of an ongoing attack.

“The fake certificates bear common names (CNs) which match the hostnames of their targets (e.g. As the certificates are not signed by trusted certificate authorities, none will be regarded as valid by mainstream web browser software; however, an increasing amount of online banking traffic now originates from apps and other non-browser software which may fail to adequately check the validity of SSL certificates.” reported Netcraft.

facebook fake SSL certificate


The SSL Certificates used in the attacks aren’t digitally signed by a trusted certificate authority, Online banking customers that use mobile apps to access their bank website are exposed to risk of man-in-the-middle attack because the mobile application often falls certificate validation. IO Active reported that 40% of iOS-based banking apps tested are vulnerable to man-in-the-middle attacks because they are not able to validate the SSL certificates presented by the server.

What happen if a user is  tricked into installing rogue root certificates through social engineering or malware attacks?

Researchers at the Leibniz University of Hannover and Philipps University of Marburg in Germany conducted manual tests on selected Android apps discovering that 41% were vulnerable, both apps and browsers may also be vulnerable after the installation of a rogue root certificate.

The SSL certificate in the above picture was discovered by experts at Netcraft  and was used for fraudulent activities against on some Ukraine based web servers. The web servers in Ukraine were hosting a fake Facebook website to use for phishing activities.

Popular apps, including Google, Facebook and Twitter implements the technique known as Certificate Pinning (Hard-code in the client the certificate known to be used by the server) to automatically reject a connection from sites that offer bogus SSL certificates, this means that if a user accesses from his browser, it will trust the certificate if it’s signed by trusted Certification Authority, but connecting to a Google via an app on mobile, it will only trust the certificates signed by Google itself.

Mobile is considered the ideal platform to implement certificate pinning because a mobile Application, usually needs to connect to a small set of servers and its developer is responsible to write the client-side code.
A small list of trusted CA certificates can be included in the App itself completely ignoring the device’s trust store.

Despite Certificate Pinning makes traffic interception more difficult, it can be bypassed in numerous ways.

Pierluigi Paganini

(Security Affairs –  SSL, man-in-the-middle)

you might also like

leave a comment