When Mobile Apps Betray You

One day, out of curiosity, I took apart a mobile app. Lacking knowledge in any mobile ecosystem's tooling, I started off by putting the app behind an HTTP proxy to observe the network traffic in the hopes of finding interesting endpoints. What happened next made me start questioning the security of mobile apps.

Imagine the internet as a bunch of transparent pipes connecting one device to another. HTTP, the protocol that powers the world wide web, passes through the internet in cleartext. Add the two together, and clearly we have a security and privacy issue. If bad actor manages to get in the pipes that carry HTTP traffic, they could easily read the communication between clients and servers.

That's why we have HTTPS. What it does is encrypt HTTP data that passes through the internet. That way, only the client and server are able decrypt the data they send to each other. Everyone else gets garbled data.

Now mobile apps are not that different from apps built for other platforms. They're written using a programming language and use a variety APIs. Among these APIs are network communication APIs. And to support communications with web servers, APIs for HTTP and HTTPS are available.

Unfortunately, even when we already have HTTPS, plain old HTTP is still around for backward compatibility. Some developers might not have the time, budget, or need to move to HTTPS. Security updates may also not make it to end users if they fail to keep their devices updated. Thus, mobile apps may be communicating over unsecure channels - which was the case with the app I took apart.

This is a concern, especially if the apps process sensitive information. Unsecured messaging apps could have their customers' private conversations intercepted and used for doxing. Unsecured shopping apps could have their users' credit card information stolen and used for credit card fraud. Unsecured tax filing apps could have their users' tax information collected and used for identity theft. ISPs could see, parse, and censor content being viewed by their customers. The possibilities are endless.

Let that sink in.

Now everything I just described could happen with any app on any platform. I just gave emphasis on mobile devices because it's that one platform that's rich in user data, always connected, but in the hands of individuals who may not know a lot or care about security and privacy. "I've got nothing to hide" - sure, whatever. I roll my eyes.

Hopefully this article gave you insight on how native apps can easily compromise your security and privacy. As always, if you have comments or suggestions, feel free to drop a line.