How to Block Mobile App Bots Using Private Certs & CAs
Last updated May 18, 2021 by Paul Levasseur
Security-conscious organizations use SSL so their applications can validate the authenticity of servers and use encryption to secure the communication. IT administrators can create and sign an SSL certificate using their private CA to allow managed devices and applications to validate and access authorized private servers.
This Knowledge Base article provides step-by-step instructions for using Appdome to add SSL Certificates which were signed by a Private CA to any Android and iOS mobile app. This enables security-conscious enterprises to provide their users secure mobile access to protected internal services.
About Using Private Server Certificates to Block Bots
The Appdome Private Server Certificates and Authorities feature makes it easy for apps to be loaded with private CA public certificates during Fusion and allow connections to private servers.
Appdome also allows you to Auto-Pin Trusted Domains, a feature that automatically downloads and pins all server certificates from connections that the app establishes, which is particularly helpful for testing purposes.
The Appdome technology adds the server certificates and relevant handling to the application automatically and encrypting them using a highly secure mechanism, with no manual development work at all. Using Appdome, there are no development or coding prerequisites. For example, there is no Appdome SDK, libraries, or plug-ins to implement. Likewise, there are no required infrastructure changes and no dependency on HTTP frameworks or any other networking library inside the application.
What is Needed for SSL to Work?
To get started with SSL, administrators submit their certificate signing requests (CSR) containing their contact, company, and server information, to a CA.
The CA validates this information and generates SSL certificates signed by the CA’s private certificate that are loaded onto the servers. Now any application that has the CA’s public certificate can validate the server and establish an encrypted connection between the app and the server.
In particular, SSL is used when you make HTTPS connections, such as from a web browser. IT administrators have a choice to use public or private CAs.
An advantage of using a public CA is that trusted root authority public CA certs come pre-installed on iOS, Android, and web browsers. Thus, any client can open an SSL connection to any server with a certificate from a trusted public CA. The disadvantage is that producing a trusted certificate from a public CA is costly and not always necessary.
Using a private CA doesn’t require the cost of a public CA certificate, but has the downside that clients accessing the servers would normally not accept connections to non-verified servers. Normally, an attempt made by a mobile app to open a secure connection to a private server without a properly installed certificate will fail with an error like the one shown here.
Figure 1: Example of an SSL error on a mobile device
This is because the mobile operating system cannot validate the authenticity of the private CA that signed the SSL certificate on the server.
Appdome allows you to get around the private CA problem by adding the self-signed certificates to the app during Fusion.
Learn the Easy Steps to Block Mobile App Bots Using Private Certs & CAs
Follow these step-by-step instructions to add Private Server Certificates and Authorities to Any Mobile App:
Select the Build Tab. Note: a blue underline will appear showing the step is active Beneath the Build Tab, you will find several service options. Select Access. Note: a blue highlight will appear showing the category is active.
To enable Certificate Pinning:
Open the Appdome Access Suite section
Click and expand Private Server Certificates and Authorities
Toggle Certificate Pinning on
Add your certificates zip file
Click Build My App
To enable Auto-Pin Trusted Domains:
Open the Appdome Access Suite section
Click and expand Private Server Certificates and Authorities
Toggle Auto-Pin Trusted Domains on
Click Build My App
Note: auto-pin is mutually exclusive to manually pinning certificates, selecting one will toggle the other off.
The certificate chain will be validated based on the certificates you specify during your Fusion. The technology behind Build My App has two major elements – (1) a microservice architecture filled with 1000s of code sets needed for mobile integrations, and (2) an adaptive code generation engine that can recognize the development environment, frameworks and methods in each app and match the app to the relevant code-sets needed to add certificates and validate them, to the mobile app in seconds. For example, the technology for trusting specific private CAs inside an app, work that ordinarily a developer would need to do.
Congratulations! You now have a mobile app fully integrated with Private Server Certificates and Authorities.
Prerequisites for using Appdome Private Server Certificates and Authorities
In order to use Appdome’s no code implementation of Private Server Certificates and Authorities on Appdome, you’ll need:
Mobile App (.ipa for iOS, or .apk or .aab for Android)
Public certificate of the Private CA, including any Intermediate CA certs if used, and the privately signed SSL certificate that is loaded to the destination server in DER format. These are typically .cer or .crt files (not .pem which are in BASE 64 format).
Add these to a zip file and give it a name of your choice like Private-Certs-DER.zip and note the location. This zip file will be uploaded to Appdome in following steps. Note: The zip file can contain multiple CA and SSL server certs.
How to Sign & Publish Secured Mobile Apps Built on Appdome
After successfully securing your app using Appdome, there are several available options to complete your project, depending on your app lifecycle or workflow. These include:
Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.