>myctrl.tools
Preferences
Under active development Content is continuously updated and improved

M5Insecure Communication

>Control Description

**Application Specific** Most modern mobile applications exchange data with one or more remote servers. When the data transmission takes place, it typically goes through the mobile device's carrier network and the internet, a threat agent listening on the wire can intercept and modify the data if it transmitted in plaintext or using a deprecated encryption protocol. Threat agents might have different motives such as stealing sensitive information, conducting espionage, identity theft and more. The following threat agents exist: - An adversary that shares your local network (compromised or monitored Wi-Fi); - Rogue carrier or network devices (routers, cell towers, proxy's, etc); or - Malware on your mobile device.

>Prevention & Mitigation Strategies

  1. 1.Apply SSL/TLS to all transport channels the mobile app uses to transmit data to backend APIs or web services; never transmit sensitive data in plaintext.
  2. 2.Use strong, industry-standard cipher suites with appropriate key lengths and certificates signed by a trusted CA provider.
  3. 3.Never allow bad certificates (self-signed, expired, untrusted root, revoked, wrong host); always require SSL chain verification.
  4. 4.Consider certificate pinning to establish trust with known-good server certificates and prevent man-in-the-middle attacks.
  5. 5.Do not send sensitive data over alternate channels (SMS, MMS, push notifications); apply a separate layer of encryption to sensitive data before passing it to the SSL channel.
  6. 6.Alert users through the UI if the mobile app detects an invalid certificate; avoid overriding SSL verification methods during development.

>Attack Scenarios

#1

#2

#3

>References

Ask AI

Configure your API key to use AI features.