A mobile app frequently communicates with its backend running on a remote server. The mobile app or the server may initiate communication. Such conversation comprises of service/data requests, updates, and acknowledgement for responses received from the other end. It is necessary to verify identity in interaction. Let’s have an example where a server is initiating a communication. The server sends over a certificate to the mobile application. This certificate comprises the signature of the server. The mobile app would inspect the sign to verify the server’s identity.
The mobile app may adopt a couple of approaches for verifying the signature. The first approach is only to confirm that a signature is present. Second is permanently having the server’s certificate available with locally to check that the same certificate is provided.
Adopting the first approach would allow attackers to send a certificate in a valid format but with a sign of their own. The mobile app would have no way to verify the genuineness of the signature. The application then would start communication with the attacker and share some sensitive information — this type of attack is known as Man in the Middle attack. Alternatively, an attacker may perform ‘SSL Striping’ as well. SSL stripping is the act of getting rid of the encryption and subsequently making malicious use of the obtained information.
The solution is, ensuring that the certificate or its public key is available with the mobile app permanently. This would enable the app to verify the authenticity of the server and detect an impersonator.