Protecting Your Android App from Man-in-the-Middle (MITM) Attacks

Android app security is a critical aspect of development, especially when sensitive data, authentication tokens, or financial transactions are involved. Man-in-the-Middle (MITM) attacks are a big threat in this area, with Cofense reporting MITM as responsible for 19% of successful attacks in the year 2024. Having increased by 35% from 2022 to 2023, MITM has become a point of concern for developers. . Below is a simple rundown of MITM attacks, how they occur, and the best practices to to protect your Android app from them.

What Is a Man-in-the-Middle (MITM) Attack?

A MITM attack occurs when a malicious actor intercepts the communication between your Android app (the client) and its backend server. The attacker can read, manipulate, and inject data into the transmission, often without detection. Google has often tied this vulnerability to OWASP’s M3: Insecure Communication, where weak transmission security opens the door to exploitation.

How MITM Attacks Work

1. Interception: Attackers position themselves between the app and server using network manipulation techniques such as ARP spoofing, rogue Wi-Fi networks, and DNS poisoning.
2. Decryption: If communication lacks encryption or is poorly secured, attackers can decode the transmitted data.
3. Manipulation: Malicious actors modify requests or inject harmful content into the transmission.
4. Re-encryption and Forwarding: The altered communication is forwarded to its destination, maintaining the appearance of legitimacy.

Consequences

MITM attacks can lead to;

• Data Theft - Stealing user credentials, financial information, or sensitive personal data.
• Session Hijacking - Hijacking authentication tokens to impersonate users.
• Phishing and Malware Injection - Embedding fake login pages or harmful payloads into responses.

How to Prevent MITM Attacks in Android Apps.

By adopting OWASP-aligned security measures, developers can significantly reduce the risk of MITM attacks. Here are some of the best practices based on OWASP recommendations:

Enforce HTTPS with TLS

Secure all communication channels using HTTPS, backed by strong protocols like TLS 1.2 or TLS 1.3

• Why? - HTTPS (TLS) encrypts data in transit. Even if attackers intercept the traffic, they cannot read or modify it easily.
• Implementation Tip: Force HTTPS by disabling cleartext (HTTP) traffic in your AndroidManifest.xml or using a network_security_config.xml:

<network-security-config>
    <domain-config cleartextTrafficPermitted="false">
        <domain includeSubdomains="true">yourdomain.com</domain>
    </domain-config>
</network-security-config>        

Enable Certificate Pinning

Certificate Pinning ensures your app only trusts specific certificates. Even if attackers manage to get a fake certificate from a compromised Certificate Authority, your app won’t accept it. The app verifies the server’s certificate against a hardcoded set of trusted certificates or keys, rejecting any mismatch.

val client = OkHttpClient.Builder()
    .certificatePinner(
        CertificatePinner.Builder()
            .add("yourdomain.com", "sha256/your-certificate-hash")
            .build()
    )
    .build()        

Network Security Configuration

Android’s Network Security Configuration (NSC) lets you define security rules in an XML file. You can enforce TLS, block cleartext traffic, and even pin certificates without changing the code base too much.

<network-security-config>
    <domain-config cleartextTrafficPermitted="false">
        <domain includeSubdomains="true">yourdomain.com</domain>
        <pin-set>
            <pin digest="SHA-256">your-certificate-hash</pin>
        </pin-set>
    </domain-config>
</network-security-config>        

Valid SSL/TLS Certificate Checks

Never ignore or override SSL errors during development. Attackers thrive on weak or ignored certificate validations. Always use a proper TrustManager or pinned certificate logic rather than accepting all certificates.

Disable Old Cipher Suites and Protocols

Outdated protocols (like SSL 3.0, TLS 1.0) or weak ciphers (like RC4, MD5) make it easier for attackers to decrypt traffic. Stick to TLS 1.2 or TLS 1.3, and strong encryption algorithms like AES-GCM.

Android Implementation

Using OkHttp:

val sslSocketFactory = SSLContext.getInstance("TLSv1.3").apply { init(null, null, null) }.socketFactory
val client = OkHttpClient.Builder()
    .sslSocketFactory(sslSocketFactory, TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()).trustManagers[0] as X509TrustManager)
    .build()        

Conclusion

Man-in-the-Middle attacks represent a bigger threat to Android applications, particularly those handling sensitive data. However, by adhering to OWASP Mobile Top 10 guidelines—enforcing HTTPS, implementing certificate pinning, leveraging Network Security Configuration, validating certificates, and using strong encryption—developers can build robust defenses.

—In today’s digital landscape, security is not just a feature—it’s a necessity.