How to Block Mobile App Bots Using Private Certs & CAs

Security-conscious organizations use SSL so their applications can validate the authenticity of servers and use encryption to secure the communication. IT administrators can create and sign an SSL certificate using their private CA to allow managed devices and applications to validate and access authorized private servers.

This Knowledge Base article provides step-by-step instructions for using Appdome to add SSL Certificates which were signed by a Private CA to any Android and iOS mobile app. This enables security-conscious enterprises to provide their users secure mobile access to protected internal services.

About Using Private Server Certificates to Block Bots

The Appdome Private Server Certificates and Authorities feature makes it easy for apps to be loaded with private CA public certificates during Fusion and allow connections to private servers.

Appdome also allows you to Auto-Pin Trusted Domains, a feature that automatically downloads and pins all server certificates from connections that the app establishes, which is particularly helpful for testing purposes.

The Appdome technology adds the server certificates and relevant handling to the application automatically and encrypting them using a highly secure mechanism, with no manual development work at all. Using Appdome, there are no development or coding prerequisites. For example, there is no Appdome SDK, libraries, or plug-ins to implement. Likewise, there are no required infrastructure changes and no dependency on HTTP frameworks or any other networking library inside the application.

What is Needed for SSL to Work?

To get started with SSL, administrators submit their certificate signing requests (CSR) containing their contact, company, and server information, to a CA.
The CA validates this information and generates SSL certificates signed by the CA’s private certificate that are loaded onto the servers. Now any application that has the CA’s public certificate can validate the server and establish an encrypted connection between the app and the server.
In particular, SSL is used when you make HTTPS connections, such as from a web browser. IT administrators have a choice to use public or private CAs.

An advantage of using a public CA is that trusted root authority public CA certs come pre-installed on iOS, Android, and web browsers. Thus, any client can open an SSL connection to any server with a certificate from a trusted public CA. The disadvantage is that producing a trusted certificate from a public CA is costly and not always necessary.

Using a private CA doesn’t require the cost of a public CA certificate, but has the downside that clients accessing the servers would normally not accept connections to non-verified servers.  Normally, an attempt made by a mobile app to open a secure connection to a private server without a properly installed certificate will fail with an error like the one shown here.

This is because the mobile operating system cannot validate the authenticity of the private CA that signed the SSL certificate on the server.

Appdome allows you to get around the private CA problem by adding the self-signed certificates to the app during Fusion.

Learn the Easy Steps to Block Mobile App Bots Using Private Certs & CAs

Follow these step-by-step instructions to add Private Server Certificates and Authorities to Any Mobile App:

Upload a Mobile App to Your Account

Please follow these steps to add a mobile app to your Appdome account.
If you don’t have an Appdome account, click here to create an account.

Select the Build Tab. Note: a blue underline will appear showing the step is active
Beneath the Build Tab, you will find several service options. Select Access. Note: a blue highlight will appear showing the category is active.

To enable Certificate Pinning:

1. Open the Appdome Access Suite section
2. Click and expand Private Server Certificates and Authorities
3. Toggle Certificate Pinning on
4. Add your certificates zip file
5. Click Build My App

To enable Auto-Pin Trusted Domains:

1. 1. Open the Appdome Access Suite section
   2. Click and expand Private Server Certificates and Authorities
   3. Toggle Auto-Pin Trusted Domains on
   4. Click Build My App

Note: auto-pin is mutually exclusive to manually pinning certificates, selecting one will toggle the other off.

The certificate chain will be validated based on the certificates you specify during your Fusion.  The technology behind Build My App has two major elements – (1) a microservice architecture filled with 1000s of code sets needed for mobile integrations, and (2) an adaptive code generation engine that can recognize the development environment, frameworks and methods in each app and match the app to the relevant code-sets needed to add certificates and validate them, to the mobile app in seconds. For example, the technology for trusting specific private CAs inside an app, work that ordinarily a developer would need to do.

Congratulations! You now have a mobile app fully integrated with Private Server Certificates and Authorities.

Paul Levasseur