Over the past few days news of the KRACK WiFi exploit has filtered out into mainstream media, and as a result it is now widely known that WiFi networks can be compromised using this exploit.
Almost every operating system with WiFi support is susceptible to this attack, with Android 6.0 being especially vulnerable.
However a few simple development practices will protect your application from this and future similar attacks.
What is KRACK?
While the actual paper which describes the attack is available, it’s not an easy read for most people. To explain it in simple terms KRACK uses an exploit discovered in the handshaking of the WPA2 Security protocol. This is a 4-way handshake that is used to create the key that will be used to encrypt traffic between your devices and the WiFi router you are connecting to. By resending this key to the client in a particular way the encrypted data can be decrypted or forged.
Who is vulnerable?
The exploit targets devices connecting to WiFi access points primarily and almost every client device is vulnerable.
Fixes are being released by manufacturers quickly to patch the problem but some people may not install the updates and its enevitable that some devices won’t get an update. For instance Apple has announced that the exploit is already patched in its current Beta releases. But its unlikely they will patch any device that doesn’t support iOS 11, so the iPhone 5 for instance. Microsoft has already released patches for Windows 7 or higher.
Android users will be relying on the manufacturer of their device to provide support, which could take several months.
How does this affect app development?
At Marino Software we assume our apps will operate on insecure networks, and that they will be attacked, therefore we are big advocates of following the OWASP Mobile Security Project recommendations. We have used the project to develop our mobile application secure development lifecycle (SDLC).
There are two items within our SDLC guidelines that would secure your app against KRACK.
Firstly, your app development testing should ensure that connections are only made to TLS or HTTPS services that have been correctly configured. This is trivial to enforce and you can easily test your server side configuration with free online tools, such as the SSL Server Test from Qualys.
Secondly, you should always implement certificate pinning in your app . While this is a little more complicated your app development team should be able to follow the many guides available.
While not a guideline as such, your SDLC should also include details on how to test for these items. The OWASP Mobile Security Testing Guide includes details on how to do exactly that.
There is no doubt the KRACK exploit should be taken seriously, but these simple app development practices help ensure your application will not be affected. This increases the confidence your audience has in your services and will keep them with you in future.
Users on older operating systems may never receive a fix but you can still protect them. By updating your app to only use secure connections and implementing certificate pinning they can continue to use the app as they normally would.
Marino Software are happy to help develop and test your applications to ensure they can deal with these exploits. Email us at firstname.lastname@example.org or check out our contact page if you would like to talk about your secure app development requirements.