Securing Mobile Apps from MITM Attack

Prior to Canvas 17.1, JavaScript AJAX (XMLHttpRequest) was used for communication between servers and clients for mobile apps, which made true Secure Socket Layer (SSL) pinning impossible. SSL is a protocol designed to provide security for network communication by means of encryption. True SSL pinning is highly recommended to prevent man-in-the-middle (MITM) attack.

In versions prior to Canvas 17.1, a request is sent to the server when the app launches and the server certificate’s fingerprint is verified only once using cordova-plugin-sslcertificatechecker. After this verification, all subsequent responses are trusted automatically. A person doing the MITM attack can exclude the very first request sent for SSL validation and start intercepting further requests without the knowledge of the client and server.

To prevent the MITM attack, the native AJAX is implemented for mobile apps from Canvas 17.1 onwards, thereby every single response is SSL validated.

Refer the following pages: