Callback Phishing

Callback phishing is a technique where attackers manipulate legitimate applications to call back to malicious servers, typically to steal sensitive information or compromise user data.

Callback phishing is a technique where attackers manipulate legitimate applications to call back to malicious servers, typically to steal sensitive information or compromise user data. Callback phishing can happen when an app unwittingly makes a callback to an attacker-controlled server, believing it’s a genuine service.

2023 Global Mobile Threat Report

How Callback Phishing Compromises a Mobile App

Callback phishing involves manipulating a mobile application into making unauthorized server calls, tricking the app into believing it’s communicating with a legitimate server while interacting with a malicious one. Here’s a technical breakdown of how this compromise occurs:

  • Injection Points: Attackers exploit vulnerabilities in the app, often through injection points like input fields, API endpoints, or even through manipulated responses from external services.
  • Manipulation of Callback URLs: Attackers can intercept or modify communication between the app and the server, altering the URLs or endpoints the app uses for callbacks.
  • DNS Spoofing or Man-in-the-Middle (MITM) Attacks: Attackers may employ DNS spoofing or MITM attacks to redirect the app’s requests to a server controlled by them instead of the legitimate server. MITM attacks enable them to intercept, modify, or steal data transmitted between the app and the server.
  • Phishing Techniques: Social engineering or phishing attacks can deceive the app into believing the malicious server is legitimate. For instance, the app might receive falsified SSL certificates, making the attacker’s server appear trusted.
  • Exploiting Lack of Validation: If the app lacks robust validation of server certificates or doesn’t implement secure communication protocols (like HTTPS), attackers can manipulate these weaknesses to impersonate the legitimate server.
  • Command Injection or Code Modification: Attackers might inject malicious code or commands into the app, altering its behavior to perform callbacks to the attacker’s server instead of the intended legitimate server.
  • Abusing Trusted Components: If the app utilizes third-party libraries or SDKs with vulnerabilities, attackers can exploit these components to manipulate the app’s behavior, redirecting legitimate server calls to malicious servers.

By exploiting these vulnerabilities or weaknesses in the app’s design, attackers can deceive the app into communicating with their malicious server, enabling them to intercept sensitive data, manipulate app functionality, or perform unauthorized actions on behalf of the user without their knowledge. Mobile app developers must actively address these vulnerabilities by implementing robust security measures to prevent callback phishing attacks.

How to Secure A Mobile App from Callback Phishing

Here are some ways mobile app developers can secure their applications from callback phishing:

  • HTTPS and Secure Connections: Ensure all communication between the app and servers happens over secure, encrypted channels (HTTPS). A secure connection prevents attackers from intercepting or manipulating data during transmission.
  • Certificate Pinning: Implement certificate pinning to validate server certificates within the app. Certificate pinning prevents attackers from using fraudulent certificates to intercept communication between the app and servers.
  • Input Validation and Sanitization: To prevent injection attacks, validate and sanitize all user inputs. Callback phishing can sometimes exploit vulnerabilities like SQL injection or command injection to manipulate app behavior.
  • Code Obfuscation and Hardening: Employ code obfuscation techniques to make it harder for attackers to reverse-engineer the app and discover callback points or sensitive functionalities.
  • Secure Coding Practices: Follow secure coding practices and conduct regular security audits to identify and patch vulnerabilities that could lead to callback phishing attacks.
  • User Education and Awareness: Educate users about potential phishing attempts, especially if the app communicates sensitive information. Include warnings and best practices within the app to guide users about safe usage.
  • Continuous Monitoring and Updates: Monitor the app for suspicious activities or unexpected behaviors. Promptly address security vulnerabilities discovered through monitoring and update the app regularly to patch any identified weaknesses.

By implementing these measures, mobile app developers can significantly reduce the risk of callback phishing and enhance the security of their applications.

Differences Between Securing a Mobile App from Callback Phishing in Android Vs. IOS

Securing a mobile app from callback phishing on Android and iOS involves similar principles but may have platform-specific implementations due to their differing architectures and security models. Here are some platform-specific considerations:


  • Permissions Model: Android’s permission system is more granular, allowing developers to specify and control app permissions precisely. Ensure that only necessary permissions are requested and that they align with the app’s functionality to prevent unauthorized data access.
  • Sandboxing: Android apps operate within a sandboxed environment, limiting their access to system resources. Developers should leverage this sandboxing to prevent unauthorized communication or data leakage between apps.
  • Google Play Protect: Utilize Google Play Protect, Google’s built-in malware protection system for Android, to scan apps for potential threats, including callback phishing attempts.
  • Android-specific Security Libraries: Android offers security libraries (such as SafetyNet) that help verify the device’s integrity and detect potential tampering or threats.


  • App Sandbox: Like Android, iOS apps operate within a sandboxed environment, limiting their access to system resources. Leverage this to prevent unauthorized data access or communication.
  • App Transport Security (ATS): iOS enforces ATS, which requires secure connections (HTTPS) by default. Ensure compliance with ATS to prevent insecure communication that might be exploited for callback phishing.
  • Code Signing: iOS requires code signing to ensure that only trusted code runs on the device. Code signing helps prevent tampering or malicious modifications leading to callback phishing.
  • App Store Review Process: iOS apps undergo a strict review process by Apple before being published on the App Store. Compliance with Apple’s guidelines can help identify and mitigate potential callback phishing risks.

While the underlying principles of securing against callback phishing remain consistent across platforms, the specific implementation and tools available on Android and iOS may differ. Developers must understand each platform’s security features and best practices to secure their apps against callback phishing effectively.

Related Content

Receive Zimperium proprietary research notes and vulnerability bulletins in your inbox

Get started with Zimperium today