[LeifCarrotson]

Don't use insecure WiFi networks, or if you do, use a VPN. That prevents you from getting these images injected by people sitting near you on the same network.

And don't visit web sites controlled by people who would do this, or linking to ad networks controlled by people who would do this. That's a little more out of your hands...

[patcheudor]

One, I don't know anyone who doesn't use non-secure WiFi networks & even if they don't, they typically still do without knowing, ergo., the 'attwifi' situation. Two, I've reviewed a number of VPN solutions over the years and they are far from perfect. Amongst some of my more notable findings:

1) Banner / update text delivered via HTTP to the client in a fully renderable state within the VPN client. Yeah, that was a fairly common issue many years ago and could be used to hijack the application UX to ask the user for things like their password.

2) Split tunneling. Some VPN providers will send HTTP traffic through the VPN while sending HTTPS traffic out the hostile leg of the VPN. This is cool and all until you use an application which doesn't properly validate the server public and then boom, a bad guy can get in the middle. Over the last half decade I've reported said flaw (failure to properly validate the server public) to over three dozen financial institutions, a couple anti-virus companies, and a major automotive manufacturer. It's real, it happens. Not to mention the Superfish and related situations.

Three, femtocells. Even if a bad actor can't get to someone's mobile computer (phone) via WiFi, they sure can by forcing it to negotiate a vulnerable cellular protocol and simply inject from there.

[maqr]

Can you elaborate on the femtocell vector and mitigation strategies?

[patcheudor]

Here's a good intro:

https://webcache.googleusercontent.com/search?q=cache:7r-Vd2...

Mitigation? Effectively none for end-users. You can always monitor your connection and if you go down to 2G, run. But no one does that. You can also test each and every app on your phone to ensure:

a) It's using HTTPS for every request / response which is rendered in the app & b) It's validating the server public. This one's easier said than done and well beyond the capabilities of most pen-testers. They might think they have it covered but rarely test for all man in the middle conditions.

I've not looked at it in detail, but someone I know tried out Network Signal Info on Android claiming it could help detect a femtocell attack:

https://play.google.com/store/apps/details?id=de.android.tel...

However, they didn't really know what the app was telling them and kept accusing me of running a femtocell so I wasn't impressed. As far as I'm concerned it's an interesting app to use in attempting to get a confession out of someone you are pretty sure is running a femtocell but likely if that person is running a femtocell they wouldn't "fall for it."