0

We are developing a hybrid mobile application and for certain function calls, there is a url called. Here is a sample request for getting user information

http://someurl.com/1234/account

where: 1234 - is the user id in the database.

We figured that a "man in the middle attack" is possible for this. The url called by the mobile app can be sniffed, then the hacker just changed the value for the user id and with that he can see information for other users. The question is - would simply changing the url called to https solve this security flaw?

Hingle McJingleberry
  • 541
  • 4
  • 26

1 Answers1

0

No, it will not. You are exposing user data based on an unauthenticated URL and it is trivial for unauthorized parties to access modified URLs even away from the mobile platform.

madscientist159
  • 550
  • 4
  • 12
  • 1
    so from what attack does the https protect the request? – Hingle McJingleberry Aug 07 '17 at 23:38
  • MITM attack, including changing data or silent eavesdropping. – madscientist159 Aug 08 '17 at 00:00
  • so that means the whole request can be sniffed too? even if it is in POST? – Hingle McJingleberry Aug 08 '17 at 00:17
  • No, https protects the URL from tampering along with GET and POST data. You have a different problem here in that a completely separate request (i.e. no tampering required) can probably access a random user's data. Secret URLs are at best simple obfuscation, not real security. – madscientist159 Aug 08 '17 at 01:05
  • ok so in short, https only prevents the request from being tampered but it does not prevent it from being seen (through sniffing?) – Hingle McJingleberry Aug 08 '17 at 22:56
  • It prevents the request from being seen by most network-based sniffers, but your problem is that all it takes is *one* person that manages to decipher the traffic (i.e. via some kind of MITM firewall that presents an "acceptable" certificate), or even by directly reading the URL out of your app binary, to expose a security issue to all of your users. At minimum you should add authentication to that URL, even if the app has to retain an internal account-specific password. – madscientist159 Aug 09 '17 at 15:43