An attacker is analyzing traffic from a mobile app and finds that sensitive data like...

Insecure communication is defined in CEH’s mobile and IoT security modules as the failure to encrypt sensitive data transmitted between a device and a server. When applications use plain HTTP instead of HTTPS, all traffic—including authentication tokens, user identifiers, and session data—can be monitored and altered by an attacker through network sniffing or man-in-the-middle attacks. CEH emphasizes that insecure transport channels represent one of the most common and critical weaknesses in mobile ecosystems, allowing attackers to harvest credentials or inject malicious commands. Security misconfiguration refers to improper server settings, while SSL pinning issues involve certificate validation bypassing. Insufficient input validation pertains to application-side data validation. None of these align as directly as insecure communication, which precisely describes the unencrypted data exposure.