Researchers last week disclosed to the public a weakness in WPA2. This is considered to be a very serious vulnerability in the way WPA2 wireless works.
WPA2 is a protocol that is in place to protect Wi-Fi networks all over the world. If an attacker is within range of a given wifi network using WPA2, they could use a key reinstallation attacks (KRACKs) to bypass WPA2 network security.
This non-trivial attack can be used to read information that was presumed to be safe from snooping. This would allow stealing of sensitive information including (but certainly not limited to):
- credit card numbers
- personally identifiable information (PII)
The attack may also be able to manipulate data, opening the possibility for malware being injected into sites we are loading.
Protecting your apps
If you are using TLS, your risk is lower, but it’s important to make sure TLS is implemented properly. Mobile and web apps can further protect themselves by implementing either one of the security precautions below. These precautions will prevent an attacker’s attempt to decrypt or manipulate data transmitted and received by a compromised connection via KRACK:
- Implement TLS with Strict Transport Security (HSTS).
- Implement certificate validation and certificate pinning.
Choosing the right protection
As the links above detail, these protections come with plenty of pros and cons to them, particularly where data privacy is concerned. It is important to asses your app with a few questions:
- What kind of data does your app store or transfer?
- Is it considered Personal Identifiable Information (PII), or otherwise important to you/your users?
- What would happen if that information fell into the wrong hands? At WillowTree, we take security very seriously in every line of the code we ship for clients. Feel free to contact us here for more advice on securing your app.