How to Use Client Certificates to Validate Mobile Apps, protect against bots

This Knowledge Base explains how to use mobile client certificates in mobile applications for the purpose of protecting the server from establishing connections with malicious bots or compromised endpoints. The application uses client certificates as a means of proving its identity to its trusted server and allowing the server to validate the legitimacy of the client certificate during the process of negotiating the SSL/TLS handshake.

Background

Mobile apps connect to all sorts of external services. They connect to their host server to authenticate users, to download content, to connect to other mobile resources, and more. Mobile apps also connect to 3rd party services embedded in the app, such as payment providers, analytics vendors, location services, and more. As a mobile app connects with the outside world, hackers and malicious parties exploit weaknesses in the communications or transport layer to conduct network-based attacks that target the mobile application backend. For example, attackers often use techniques like session hijacking, fake or forged digital certificates, or automated malicious bots or scripts designed to attack infrastructure using click fraud, credential stuffing or other large-scale automated attacks. In fact, OWASP, a leading nonprofit foundation that works to improve the security of software, lists insecure communication as one of its OWASP Mobile Top 10 risks.

Digital Certificates Explained

Before we get into the details of how Mobile Client Certificates protect servers against malicious clients, let’s take a step back and cover SSL/TLS basics starting with explaining what digital certificates are and how they work. In cryptography (PKI), a digital certificate, or X.509 certificate is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about the identity of its owner, and the digital signature of an entity that has verified the certificate’s contents. If the signature and certificate are valid, then the 2 parties can communicate securely using the TLS protocol.

Below is a screenshot describing a typical SSL/TLS Handshake:

There are 2 main types of SSL/TLS certificates – client certificates and server certificates. This KB article covers Client Certificates, which are digital certificates used by client systems (in this case an Android or iOS application) to prove their identity to the remote server as part of the SSL/TLS handshake. Server Certificates, used by servers to prove their identity to mobile clients, are covered in another KB article.

Client Certificates are used by the mobile application to prove its identity and authenticity to the server. The primary for this feature is to protect the mobile application’s servers or backend from compromised endpoints, such as malicious bots. The trusted client certificates are stored securely (encrypted) inside the mobile app. For every connection, the application presents its certificate along with a unique password/secret to the server for inspection and validation as part of the SSL/TLS handshake. By only allowing connections to apps whose client certificates it can validate, the server is protected from connecting to malicious or compromised clients such as automated bots.

How to Use Mobile Client Certificates to Ensure Only Valid Apps can Connect to Servers

Mobile Client Certificates –  Using Appdome’s no-code mobile app security platform you can embed the trusted, approved client certificates (client P12/PKCS) inside the application, where it is securely stored (encrypted using AES-256). For every connection, the application presents its unique certificate along with a unique password/secret to the server for inspection and validation as part of the SSL/TLS handshake. The server then inspects the certificate using its private key to ensure that it matches, in which case the server knows it can trust the client/app and establish the secure session. This protects the backend servers and infrastructure against connections originating from compromised endpoints or malicious bots. In order to use Appdome’s Mobile Client Certificates feature, the server must be configured to validate incoming connections based on client certificates.

5 Easy Steps to Use Mobile Client Certificates in Android & iOS apps

Please follow these 5 easy steps to add  Mobile Client Certificates to any iOS and Android app using Appdome.

1. Upload an Android or iOS App to Appdome’s no code security platform (.apk, .aab, or .ipa)
2. In the Build Tab, under Security, expand Secure Communication, Under Bot Defense, switch ON Mobile Client Certificates 
3. Upload client’s private certificate and key (client P12/PKCS) for authentication
4. Enter the unique Password for the P12 certificate (as shown below)
5. Click Build My App

Prerequisites

Here’s what you need to build secured apps with Mobile Client Certificates

• Appdome account (If you don’t have an Appdome account, create a free Appdome account here)
• Mobile App (.ipa for iOS, or .apk or .aab for Android)
• P12 certificate with the password included in it
• Server must be configured to validate incoming connections based on client certificates
• Signing Credentials (e.g., signing certificates and provisioning profile)

No Coding Dependency

How To Learn More?

Read other Secure Communication Knowlege Base Articles:

Secure Certificate Pinning

MitM attack prevention

Learn more about Appdome Platform or request a demo at any time.

If you have any questions, please send them our way at support@appdome.com or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.

Liron Dror