Secure Mobile Application Development: Preventing HTTPS Interception Attacks

Preventing HTTPS Interception Attacks

Prev Question Next Question

Question

A developer is creating a new mobile application for a company.

The application uses REST API and TLS 1.2 to communicate securely with the external back-end server.

Due to this configuration, the company is concerned about HTTPS interception attacks.

Which of the following would be the BEST solution against this type of attack?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

C.

https://cloud.google.com/security/encryption-in-transit
ALTS has a secure handshake protocol similar to mutual TLS. Two services wishing to communicate using ALTS employ this handshake protocol to authenticate and negotiate communication parameters before sending any sensitive information. The protocol is a two-step process: + Step 1:Handshake The client initiates an elliptic curve-Diffie Hellman (ECDH) handshake with the server using Curve25519. The client and server each have certified ECDH public parameters as part of their certificate, which is used during a Diffie Hellman key exchange. The handshake results in a common traffic key that is available on the client and the server. The peer identities from the certificates are surfaced to the application layer to use in authorization decisions. * Step 2: Record encryption Using the common traffic key from Step 1, data is transmitted from the client to the server securely. Encryption in ALTS is implemented using BoringSSL and other encryption libraries. Encryption is most commonly AES-128-GCM while integrity is provided by AES-GCM's GMAC.

The best solution to prevent HTTPS interception attacks is to use Certificate pinning, which is option D.

Certificate pinning is a security mechanism that ensures that a client only trusts a specific server's digital certificate. By using certificate pinning, the application will trust only the pre-defined certificates and prevent any other certificates from being accepted, even if the certificate is signed by a trusted Certificate Authority (CA). This technique protects the application against the use of fake or forged certificates that may be used in a man-in-the-middle (MITM) attack, which is a type of HTTPS interception attack.

Option A, Cookies, are used to store information that identifies a user or their session. While cookies can be used to protect against some types of attacks, such as session hijacking, they are not effective against HTTPS interception attacks.

Option B, Wildcard certificates, are digital certificates that are used to secure multiple subdomains under the same domain name. While they can be useful in certain scenarios, they do not protect against HTTPS interception attacks.

Option C, HSTS (HTTP Strict Transport Security), is a security policy mechanism that tells web browsers to only use HTTPS connections to communicate with a website. HSTS is an effective measure to prevent some types of HTTPS interception attacks, but it does not protect against all types of attacks, such as those where the attacker is able to bypass the HSTS policy.

In summary, the best solution against HTTPS interception attacks is to use Certificate pinning, which ensures that the application only trusts specific certificates and prevents any other certificates from being accepted.

Prev Question Next Question