HTTPS Security on Mobile: Stop Man-in-the-Middle Attacks

TL;DR

Mobile devices are vulnerable to Man-in-the-Middle (MITM) attacks when using HTTPS. This guide explains how to protect yourself by verifying certificates, avoiding untrusted networks, and using strong security settings.

Understanding the Risk

A MITM attack happens when someone intercepts communication between your device and a website. They can steal information like passwords or credit card details. HTTPS is designed to prevent this through encryption, but it relies on verifying the website’s identity using certificates.

How to Protect Yourself

1. Check Certificate Validity: Your browser should always verify a website’s SSL/TLS certificate before establishing a secure connection. Look for the padlock icon in your address bar. Click it to view details.
   • Valid Dates: Ensure the certificate is currently valid (not expired or not yet active).
   • Issued To: Confirm the certificate is issued to the correct domain name you’re visiting. Beware of misspellings!
   • Issuer: The certificate should be issued by a trusted Certificate Authority (CA) – your browser has a list of these built-in.
2. Avoid Untrusted Wi-Fi Networks: Public, open Wi-Fi networks are often insecure.
   • Use a VPN: A Virtual Private Network (VPN) encrypts all your internet traffic, protecting it even on public Wi-Fi.
   • Don’t Share Sensitive Information: Avoid online banking or entering passwords on untrusted networks.
3. Pin Certificates (Advanced): Certificate pinning tells your device to only trust specific certificates for a given website.
   • This prevents attackers from using fraudulently obtained certificates, even if they’re issued by a trusted CA. It’s more secure but requires technical setup and maintenance.
   • Many apps now support certificate pinning automatically. Check the app’s security settings.
4. Keep Your Device Software Updated: Operating system (OS) and browser updates often include important security patches.
   • Enable automatic updates whenever possible.
5. Be Wary of Suspicious Prompts: Pay attention to any unusual certificate warnings or prompts from your browser.
   • If you see a warning that the connection isn’t private, do not proceed unless you are absolutely sure it’s safe.
6. DNS Security: Use a secure DNS provider to prevent DNS spoofing attacks which can redirect you to malicious websites.
   • Consider using Cloudflare (1.1.1.1) or Google Public DNS (8.8.8.8 and 8.8.4.4). You can change these in your device’s network settings.

Checking Certificates on Android

1. Open the website in Chrome.
2. Tap the padlock icon to the left of the address bar.
3. Select ‘Connection is secure’.
4. Tap ‘Certificate’ to view certificate details.

Checking Certificates on iOS

1. Open the website in Safari.
2. Tap the padlock icon to the right of the address bar.
3. Tap ‘Details’.
4. Scroll down and tap ‘View Certificate’ to view certificate details.

Example VPN Command (Linux – using OpenVPN)

sudo openvpn --config /path/to/your/vpn_config.ovpn