Man-in-the-Middle (MITM) Attacks in Android Development: How to Secure Your App

Protecting Your Android App from Cyber Threats

Introduction

Security in Android development is an essential concern, especially when handling sensitive user data, authentication tokens, and financial transactions. One of the most dangerous yet common security vulnerabilities is the Man-in-the-Middle (MITM) attack. This aligns closely with the OWASP Mobile Top 10 security risks, particularly M3: Insecure Communication and M9: Reverse Engineering.

In this article, we’ll explore what MITM attacks are, how they occur, and the best practices for securing your Android app against them using OWASP-recommended security controls.

What is a Man-in-the-Middle (MITM) Attack?

A Man-in-the-Middle attack occurs when an attacker intercepts and manipulates the communication between a client (your Android app) and a server. The attacker can read, alter, and even inject malicious data into the communication without either party being aware of it.

How MITM Attacks Work

MITM attacks typically follow these steps:

1. Interception: The attacker positions themselves between the app and the server, using techniques like ARP spoofing, rogue Wi-Fi networks, or DNS poisoning.
2. Decryption: If the communication is unencrypted or poorly secured, the attacker can decrypt the data being transmitted.
3. Manipulation: The attacker can modify requests and responses, injecting malicious content or stealing sensitive data.
4. Re-encryption and Forwarding: The attacker then forwards the manipulated communication back to its intended destination, making it seem like a normal interaction.

OWASP Implications

MITM attacks are directly related to OWASP Mobile Security Risk M3: Insecure Communication, where attackers exploit weakly secured transmissions to intercept and manipulate sensitive information.

Real-World Consequences of MITM Attacks

• Data Theft: User credentials, credit card information, and personal data can be intercepted.
• Session Hijacking: Attackers can steal session tokens and impersonate users.
• Phishing and Malware Injection: Attackers can inject fake login pages or malicious payloads into an app’s response.

How to Prevent MITM Attacks in Android Apps (Aligned with OWASP Guidelines)

1. Enforce HTTPS with TLS (SSL/TLS Security)

One of the most critical steps in preventing MITM attacks is ensuring that all communications between your app and backend servers use HTTPS (HyperText Transfer Protocol Secure).

OWASP recommends:

• TLS 1.2 or TLS 1.3, as older versions (such as TLS 1.0 and 1.1) are vulnerable to security flaws.
• A valid SSL/TLS certificate from a trusted Certificate Authority (CA).
• HSTS (HTTP Strict Transport Security) to prevent protocol downgrades to HTTP.

Implementation in Android

Ensure that your AndroidManifest.xml enforces HTTPS:

<network-security-config>
    <domain-config cleartextTrafficPermitted="false">
        <domain includeSubdomains="true">yourdomain.com</domain>
    </domain-config>
</network-security-config>

2. Certificate Pinning (M3: Insecure Communication)

What is Certificate Pinning?

Certificate Pinning is a security technique that helps prevent attackers from using fraudulent certificates to intercept app-server communication. It ensures that the app only trusts specific certificates or public keys, even if a compromised Certificate Authority (CA) issues a rogue certificate.

Why is Certificate Pinning Important?

• Prevents Fake Certificates: Attackers may generate fraudulent certificates to impersonate a trusted server. Pinning restricts your app to accept only the expected certificate.
• Enhances Security Against MITM Attacks: Even if an attacker can intercept traffic, they cannot decrypt or modify data without the correct certificate.
• Mitigates Risks of CA Compromise: If a CA is compromised, your app will reject fraudulent certificates issued by that CA.

How Certificate Pinning Works

1. The app is programmed to accept only a predefined set of certificates or public keys.
2. When making an HTTPS request, the app checks the server’s certificate against the pinned certificates.
3. If the certificate does not match, the connection is rejected.

Implementation in Android

Using OkHttp with certificate pinning:

val client = OkHttpClient.Builder()
    .certificatePinner(
        CertificatePinner.Builder()
            .add("yourdomain.com", "sha256/your-certificate-hash")
            .build()
    )
    .build()

3. Use Strong Network Security Configurations (OWASP M3 & M9)

What is Network Security Configuration?

The Network Security Configuration (NSC) is an Android feature introduced in Android 7.0 (API level 24) that allows developers to define security settings via an XML file instead of modifying the app code. It enables more granular control over security policies, including enforcing TLS, disabling cleartext traffic, and implementing certificate pinning.

Why is Strong Network Security Configuration Important?

• Blocks Cleartext Traffic: Prevents unencrypted HTTP traffic, reducing the risk of eavesdropping.
• Enforces TLS/SSL: Ensures all communications happen over a secure channel.
• Supports Certificate Pinning: Helps prevent attackers from using fraudulent certificates.
• Provides Fine-Grained Security Control: Developers can specify different security settings for different domains.

Implementation in Android

Define a network_security_config.xml file in the res/xml/ directory:

<network-security-config>
    <domain-config cleartextTrafficPermitted="false">
        <domain includeSubdomains="true">yourdomain.com</domain>
        <pin-set>
            <pin digest="SHA-256">your-certificate-hash</pin>
        </pin-set>
    </domain-config>
</network-security-config>

4. Validate SSL/TLS Certificates Properly (M3: Insecure Communication)

Why SSL/TLS Certificate Validation is Important

Proper certificate validation prevents MITM attacks by ensuring that the server your app is communicating with is legitimate. Attackers often use self-signed or rogue certificates to intercept traffic. If an app blindly accepts any certificate, it becomes vulnerable to attacks.

Best Practices for Certificate Validation

• Use a strong TrustManager that validates the certificate against a trusted CA.
• Avoid disabling SSL validation in development builds.
• Reject self-signed or unknown certificates unless explicitly trusted.

5. Disable Insecure Cipher Suites and Protocols

Why Disabling Weak Ciphers is Critical

Attackers exploit weak encryption algorithms (e.g., MD5, RC4) to break into secure communications. Android apps must ensure that only strong encryption algorithms are used.

Best Practices for Secure Cipher Suites

• Use TLS 1.2 or 1.3 to ensure strong encryption.
• Disable outdated protocols like SSL 3.0 and TLS 1.0.
• Use AES-GCM or ChaCha20-Poly1305 for encryption.

Implementation in Android

val sslSocketFactory = SSLContext.getInstance("TLSv1.3").apply { init(null, null, null) }.socketFactory
val client = OkHttpClient.Builder()
    .sslSocketFactory(sslSocketFactory, TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()).trustManagers[0] as X509TrustManager)
    .build()

Conclusion

MITM attacks pose a significant risk to Android apps, but by aligning security measures with OWASP Mobile Top 10 recommendations, developers can mitigate these threats effectively.

Dobri Kostadinov
Android Consultant | Trainer
Email me | Follow me on LinkedIn | Follow me on Medium | Buy me a coffee