Continuous Monitoring of TLS Encryption: What Corrata Sees in the Real World

Corrata’s Mobile Endpoint Detection and Response (EDR) solution runs directly on end-user phones and tablets across more than a thousand organizations worldwide. These deployments span a wide range of sectors, including government, finance, healthcare, education, and enterprise services. Corrata protects mobile devices against a broad spectrum of threats, including mobile phishing, spyware, malicious applications, and data leakage, while continuously monitoring devices and their network communications for security weaknesses.

A distinctive capability of the Corrata platform is the continuous assessment of the quality of encryption used by applications and services communicating with mobile devices. Rather than assuming that encryption is present and correctly implemented, Corrata actively evaluates each connection in real time. This includes identifying cases where sensitive data is transmitted without encryption, as well as situations where encryption is present but weakened through the use of outdated TLS versions, expired certificates, or vulnerable cipher suites.

This monitoring is designed to protect against adversary-in-the-middle attacks, ensuring that communications cannot be intercepted, modified, or downgraded by attackers with access to any network the device traverses. Corrata adopts a true zero-trust networking philosophy: every network—corporate, home, public Wi-Fi, or cellular—is treated as potentially hostile. Security decisions are therefore based on the observed quality of the connection itself, not on assumptions about where that connection originates.

Below, we illustrate the value of this continuous monitoring by describing real-world vulnerabilities Corrata has uncovered in live production environments.

Devices Transmitting Unencrypted Data

Today, over 99% of connections between mobile devices and web servers use TLS encryption by default. However, a small proportion of websites often low-traffic, legacy, or internally hosted services—still interact with devices over unencrypted HTTP. In many cases this is relatively benign, involving only the transmission of static or publicly accessible content.

Corrata has nonetheless identified multiple incidents where sensitive data was transmitted to such endpoints without encryption. This traffic typically appeared as HTTP POST requests originating from mobile applications. In several cases, the transmitted data included usernames and passwords sent in plaintext, fully visible to any attacker capable of observing the network traffic.

All such incidents investigated by Corrata involved in-house developed applications. The failure to enforce encryption was usually the result of poor coding practices or insufficient testing, often carried out by third-party development teams. A recurring theme was the rushed release of major application upgrades, where encryption requirements were inadvertently bypassed or incorrectly implemented.

The critical advantage of Corrata’s continuous monitoring lies in speed of detection. In each case, Corrata prevented unencrypted data transmission and alerted the affected organization immediately when the faulty code entered production. This allowed the issue to be remediated quickly, often before any meaningful exposure occurred.

HTTP POST as a Malware Indicator

In a surprisingly high number of cases, the transmission of plaintext data from a mobile device to an external server has proven to be a strong indicator of malware or the presence of unauthorized applications.

In one representative incident, Corrata detected device identifiers and configuration details being sent unencrypted to a remote server. Further investigation revealed that the destination was a third-party Android app store. Such app stores are popular in certain regions but are widely known to distribute malware-infected or trojanized applications.

These stores frequently offer pirated or modified versions of popular messaging applications such as WhatsApp, Facebook Messenger, Signal, and Telegram, as well as social media platforms including TikTok and Snapchat. While these counterfeit apps often promise enhanced features or removed restrictions, they typically result in all user communications being exposed to their criminal publishers.

In this context, unencrypted HTTP POST traffic served as an early warning signal of a far more serious compromise, enabling organizations to identify and remove malicious software before further damage occurred.

Poor maintenance of  Sensitive Servers

In regulated sectors such as finance and healthcare, failing to enforce strong encryption is not merely poor security practice—it can constitute a regulatory breach. Such failures can expose organizations to fines, penalties, and significant reputational harm.

Corrata has encountered several instances where encryption was correctly configured on some, but not all, servers supporting a critical application. In each case, the root cause was architectural rather than malicious. The application was hosted across multiple backend servers behind a load balancer.

Although testing had been performed prior to deployment, it did not cover every server in the pool. As a result, some production traffic was intermittently routed to hosts using questionable cipher suites. These failures only became apparent when employees using Corrata accessed the application under real-world conditions, at which point the issue was detected and resolved.

Use of Vulnerable TLS Versions and Cipher Suites

The TLS standard has evolved significantly over time. Today, TLS 1.2 and TLS 1.3 are considered secure when used with strong cipher suites. Despite this, Corrata continues to observe cases where websites support weak ciphers or where specific device and browser combinations trigger a downgrade to insecure encryption.

Most such cases involve rarely used consumer services and are mitigated simply by blocking the connection. Where appropriate, Corrata acts as a responsible corporate citizen by notifying service operators so they can remediate the issue.

On rarer occasions, weak encryption has been identified on newly adopted SaaS platforms. In these cases, Corrata customers have escalated the issue to the vendor, leading to corrective action and improved security for all users.

Conclusion

TLS is a foundational component of modern information security. Even minor operational errors—such as expired certificates, misconfigured servers, or outdated cipher support—can introduce significant risk. Ensuring that encryption is not only present, but consistently and correctly implemented, is essential to protecting sensitive communications.

Corrata’s continuous monitoring of mobile device communications provides a critical safeguard that goes well beyond the upfront testing typically performed when new applications or SaaS services are introduced. By validating encryption quality in real-world conditions, on real devices, and across all networks, Corrata helps organizations detect and remediate vulnerabilities before they can be exploited.