Learn how to to Enforce SSL TLS Certificate Roles in Android & iOS Apps to protect mobile app data-in-transit and ensure safe connections.
Let’s get back to basics: How does your application know that the resource it’s accessing is truly
Well, during the connection’s negotiation, the remote service presents its certificate which roughly has two interesting parameters:
But how do we trust the issuer? Well, the issuer also has an issuer of its own, and this goes all the way up to an issuer that’s trusted by the platform on which your application runs.
The certificate presented by the server is called a “leaf” certificate, while each issuer is called a CA (Certificate Authority). These are, in essence, the roles of these certificates.
For example, the “chain-of-trust” in a normal connection might be:
*.your-company-domain.comsigned by “Go Daddy Secure Certificate Authority – G2”
However, there is no functional difference between certificates, regardless of their roles. So while leaf certificates are not meant to be used as certificate-authorities, each certificate can be used to sign another certificate. This makes the following chain also 100% correct:
*.malicious-domain.comsigned by “Go Daddy Secure Certificate Authority – G2”
So your application could blindly trust a connection to
www.malicious-domain.com, thinking it is
So how can this be enforced? Very simple, just include in each certificate information about its role. This is a common extension called “Basic-Constraints”.
The catch is that if a certificate does not have this extension, an SSL(TLS) implementation won’t enforce it.
This is why it’s important to enforce the presence of the Basic-Constraints extension and the roles of the certificates in the chain.
Implementing and especially maintaining such measures is a difficult task. Sometimes the source code is not available, and more often the services are on uncontrolled endpoints.
Appdome is a no-code mobile app security platform designed to add security features, like Certificate Role Enforcement to Android & iOS apps without coding. This KB shows mobile developers, DevSec and security professionals how to use Appdome’s simple ‘click to build’ user interface to quickly and easily protect mobile data in transit.
Please follow these 3 easy steps to Enforce TLS Certificate Roles in Android & iOS Apps
Appdome’s no-code mobile app security platform offers mobile developers, DevSec and security professionals a convenient and reliable way to protect Android and iOS apps with Enforce Certificate Roles. When an Appdome user clicks “Build My App,” Appdome leverages a microservice architecture filled with 1000s of security plugins, and an adaptive code generation engine that matches the correct required plugins to the development environment, frameworks, and methods in each app.
Here’s what you need to build secured apps with Enforce TLS Certificate Roles
After successfully securing your app using Appdome, there are several available options to complete your project, depending on your app lifecycle or workflow. These include:
Or, see this quick reference Releasing Secured Android & iOS Apps built on Appdome.
You can read more about CA certificates here.
If you are interested in securing other aspects of TLS, you can check out how you can Enforce Communications’ Cipher Suites.
You can also enforce the version of the TLS protocol.
This feature is just one of many offered in the course of Trusted Session Inspection.
To zoom out on this topic, visit Appdome for Mobile App Security on our website.
If you have any questions, please send them our way at firstname.lastname@example.org or via the chat window on the Appdome platform.
Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.