Encrypt Network Traffic

Application developers should encrypt all of their application network traffic using the Transport Layer Security (TLS) protocol to ensure protection of sensitive data and deter network-based attacks. If desired, application developers could perform message-based encryption of data before passing it for TLS encryption.


iOS's App Transport Security feature can be used to help ensure that all application network traffic is appropriately protected. Apple intends to mandate use of App Transport Security [1] for all apps in the Apple App Store unless appropriate justification is given.


Android's Network Security Configuration feature similarly can be used by app developers to help ensure that all of their application network traffic is appropriately protected [2].


Use of Virtual Private Network (VPN) tunnels, e.g. using the IPsec protocol, can help mitigate some types of network attacks as well.

ID: M1009
Version: 1.0
Created: 25 October 2017
Last Modified: 17 October 2018

Techniques Addressed by Mitigation

Domain ID Name Use
Mobile T1466 Downgrade to Insecure Protocols

Application-layer encryption (e.g. use of the Transport Layer Security protocol) or a Virtual Private Network (VPN) tunnel (e.g. using the IPsec protocol) may help mitigate weaknesses in the cellular network encryption.

Mobile T1439 Eavesdrop on Insecure Network Communication
Mobile T1449 Exploit SS7 to Redirect Phone Calls/SMS

Use of end-to-end encryption of voice calls and text messages "provides another layer in the defense against potential information compromise by SS7 enabled eavesdropping."[4]

Mobile T1463 Manipulate Device Communication

App developers should be advised to use the Android Network Security Configuration feature and the iOS App Transport Security feature to gain some level of assurance that app network traffic is protected.[3]

Mobile T1410 Network Traffic Capture or Redirection

This mitigation may not always be effective depending on the method used to encrypt network traffic. In some cases, an adversary may be able to capture traffic before it is encrypted.

Mobile T1467 Rogue Cellular Base Station
Mobile T1465 Rogue Wi-Fi Access Points

Application-layer encryption (e.g. use of the Transport Layer Security protocol) or a Virtual Private Network (VPN) tunnel (e.g. using the IPsec protocol) may help mitigate use of untrusted Wi-Fi networks.

References