This Knowledge Base explains how to use mobile client certificates in mobile applications for the purpose of protecting the server from establishing connections with malicious bots or compromised endpoints. The application uses client certificates as a means of proving its identity to its trusted server and allowing the server to validate the legitimacy of the client certificate during the process of negotiating the SSL/TLS handshake.
Mobile apps connect to all sorts of external services. They connect to their host server to authenticate users, to download content, to connect to other mobile resources, and more. Mobile apps also connect to 3rd party services embedded in the app, such as payment providers, analytics vendors, location services, and more. As a mobile app connects with the outside world, hackers and malicious parties exploit weaknesses in the communications or transport layer to conduct network-based attacks that target the mobile application backend. For example, attackers often use techniques like session hijacking, fake or forged digital certificates, or automated malicious bots or scripts designed to attack infrastructure using click fraud, credential stuffing or other large-scale automated attacks. In fact, OWASP, a leading nonprofit foundation that works to improve the security of software, lists insecure communication as one of its OWASP Mobile Top 10 risks.
Before we get into the details of how Mobile Client Certificates protect servers against malicious clients, let’s take a step back and cover SSL/TLS basics starting with explaining what digital certificates are and how they work. In cryptography (PKI), a digital certificate, or X.509 certificate is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about the identity of its owner, and the digital signature of an entity that has verified the certificate’s contents. If the signature and certificate are valid, then the 2 parties can communicate securely using the TLS protocol.
Below is a screenshot describing a typical SSL/TLS Handshake:
There are 2 main types of SSL/TLS certificates – client certificates and server certificates. This KB article covers Client Certificates, which are digital certificates used by client systems (in this case an Android or iOS application) to prove their identity to the remote server as part of the SSL/TLS handshake. Server Certificates, used by servers to prove their identity to mobile clients, are covered in another KB article.
Client Certificates are used by the mobile application to prove its identity and authenticity to the server. The primary for this feature is to protect the mobile application’s servers or backend from compromised endpoints, such as malicious bots. The trusted client certificates are stored securely (encrypted) inside the mobile app. For every connection, the application presents its certificate along with a unique password/secret to the server for inspection and validation as part of the SSL/TLS handshake. By only allowing connections to apps whose client certificates it can validate, the server is protected from connecting to malicious or compromised clients such as automated bots.
Mobile Client Certificates – Using Appdome’s no-code mobile app security platform you can embed the trusted, approved client certificates (client P12/PKCS) inside the application, where it is securely stored (encrypted using AES-256). For every connection, the application presents its unique certificate along with a unique password/secret to the server for inspection and validation as part of the SSL/TLS handshake. The server then inspects the certificate using its private key to ensure that it matches, in which case the server knows it can trust the client/app and establish the secure session. This protects the backend servers and infrastructure against connections originating from compromised endpoints or malicious bots. In order to use Appdome’s Mobile Client Certificates feature, the server must be configured to validate incoming connections based on client certificates.
Please follow these 5 easy steps to add Mobile Client Certificates to any iOS and Android app using Appdome.
Here’s what you need to build secured apps with Mobile Client Certificates
After successfully securing your app using Appdome, there are several available options to complete your project, depending on your app lifecycle or workflow. These include:
Or, see this quick reference Releasing Secured Android & iOS Apps built on Appdome.
Read other Secure Communication Knowlege Base Articles:
If you have any questions, please send them our way at firstname.lastname@example.org or via the chat window on the Appdome platform.
Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.