17.1 App verifies SSL certificates¶
Verify that ID values stored on the device and retrievable by other applications, such as the UDID or IMEI number are not used as authentication tokens.
Levels: 1, 2, 3
Risks: * Mobile Internet is an insecure channel * Public Wifi hotspots are open unsecured networks * Hotstpots at Coffee Shops, Book Stores, Airports * Plenty of open source tools available to sniff from open wireless networks * Firesheep addon for Firefox makes it easier * Grabs your Social Media and other web passwords with one click * Face Sniffer app for Android is the Firesheep version for Mobile devices to sniff passwords from open wireless networks * It is possible to throw a fake GSM signal. Chris Paget demonstrated a fake GSM tower during DefCon 2010 that costed about $1500. It is called IMSI catcher. An attacker can throw up a fake ATT / T-Mobile signal a few feet away. Your phone would connect to his tower since it would have a stronger signal than the nearest cell phone tower. All data that is sent unencrypted can be read by the attacker. * `OWASP: Security and Privacy issues in iOS and Android Apps <>`__