Mobile Shopping & Secure Connections: SSL In Browsers vs Mobile Apps
Tripwire recently released a mobile shopping survey and found a surprising number of those surveyed are not taking appropriate security precautions on their devices. One component of the survey called out mobile shoppers not verifying that they sites they were shopping at provided valid SSL certificates.
Most modern smartphones provide SSL verification in their browsers, providing warnings when there are any issues regarding the SSL certificate. In fact I have found the latest Android browser to be particularly draconian in its SSL verification.
In addition the lock we are all familiar with appears in the address bar showing that the site we are on in fact has a valid certificate in place. This can be tricky however once we move our shopping to a mobile app, as there is no clear indicator that the connection we are using is secure.
For example, here is a screenshot of the Amazon mobile website compared to the Amazon mobile application:
By using the browser for shopping I am provided with verification by the browser that I am on a secure website, I receive no errors and I see the lock I am familiar with. By using the mobile application, I am trusting the developer and rely on faith that the connection and my data is secure.
Although I may trust Amazon with my data, there are a lot of shopping applications that are available from well known brands that are not as secure as they should be and do not use properly encrypted channels to pass data back and forth from the application.
There is a lot that can go wrong when securing data via a mobile application, the developer has to manage many factors and there is no specific set way they have to implement the transactions.
With a web browser the connection is either secure or it is not, a web developer cannot do much to fix that aside from ensure that the certificates on the server are up to date and valid. When it comes to secure connections the less “creative license” we provide to the developer the better.
Once your data is at the application server then all bets are off as to how that data is secured regardless of their security implementation of your data in transit. However, by using the web browser we are provided some level of certainty regarding the data being secured in transit.
The only way I have been able to verify that a mobile application is using SSL is to run through a proxy like MITM Proxy to get a list of URLs the data is being passed to and then pass that to openssl to show and verify the certificates:
openssl s_client -showcerts -connect www.amazon.com:443
Although useful for pentesting, this is not particularly user friendly or even a viable option for your average mobile shopper. If anyone knows of an easier way for consumers to verify the security of connections for mobile applications I would be interested in hearing about it.