T1410 Network Traffic Capture or Redirection
An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.
A malicious app could register itself as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must grant consent to the app to act as a VPN client, and on iOS the app requires a special entitlement that must be granted by Apple.
Alternatively, if a malicious app is able to escalate operating system privileges, it may be able to use those privileges to gain access to network traffic.
An adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection or by manipulating the device’s proxy settings. For example, Skycure 1 describes the ability to redirect network traffic by installing a malicious iOS Configuration Profile.
If applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture.
|Created||25 October 2017|
|Last Modified||17 October 2018|
|S0288||KeyRaider||Most KeyRaider samples hook SSLRead and SSLWrite functions in the itunesstored process to intercept device communication with the Apple App Store.2|
|S0407||Monokle||Monokle can install attacker-specified certificates to the device’s trusted certificate store, enabling an adversary to perform adversary-in-the-middle attacks.3|
|M1005||Application Vetting||Closely scrutinize applications that request VPN access before allowing their use.|
|M1009||Encrypt Network Traffic||This mitigation may not always be effective depending on the method used to encrypt network traffic. In some cases, an adversary may be able to capture traffic before it is encrypted.|
|M1006||Use Recent OS Version||-|
Yair Amit. (2013, March 12). Malicious Profiles - The Sleeping Giant of iOS Security. Retrieved December 22, 2016. ↩
Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016. ↩
Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019. ↩