How to Block Mobile App Bots Using Private Certs & CAs

 

Security-conscious organizations use SSL so their applications can validate the authenticity of servers and use encryption to secure the communication. IT administrators can create and sign an SSL certificate using their private CA to allow managed devices and applications to validate and access authorized private servers.

This Knowledge Base article provides step-by-step instructions for using Appdome to add SSL Certificates which were signed by a Private CA to any Android and iOS mobile app. This enables security-conscious enterprises to provide their users secure mobile access to protected internal services.

About Using Private Server Certificates to Block Bots

The Appdome Private Server Certificates and Authorities feature makes it easy for apps to be loaded with private CA public certificates during Fusion and allow connections to private servers.

Appdome also allows you to Auto-Pin Trusted Domains, a feature that automatically downloads and pins all server certificates from connections that the app establishes, which is particularly helpful for testing purposes.

The Appdome technology adds the server certificates and relevant handling to the application automatically and encrypting them using a highly secure mechanism, with no manual development work at all. Using Appdome, there are no development or coding prerequisites. For example, there is no Appdome SDK, libraries, or plug-ins to implement. Likewise, there are no required infrastructure changes and no dependency on HTTP frameworks or any other networking library inside the application.

What is Needed for SSL to Work?

To get started with SSL, administrators submit their certificate signing requests (CSR) containing their contact, company, and server information, to a CA.
The CA validates this information and generates SSL certificates signed by the CA’s private certificate that are loaded onto the servers. Now any application that has the CA’s public certificate can validate the server and establish an encrypted connection between the app and the server.
In particular, SSL is used when you make HTTPS connections, such as from a web browser. IT administrators have a choice to use public or private CAs.

An advantage of using a public CA is that trusted root authority public CA certs come pre-installed on iOS, Android, and web browsers. Thus, any client can open an SSL connection to any server with a certificate from a trusted public CA. The disadvantage is that producing a trusted certificate from a public CA is costly and not always necessary.

Using a private CA doesn’t require the cost of a public CA certificate, but has the downside that clients accessing the servers would normally not accept connections to non-verified servers.  Normally, an attempt made by a mobile app to open a secure connection to a private server without a properly installed certificate will fail with an error like the one shown here.

SSL error AUTH-ERROR.png
Figure 1: Example of an SSL error on a mobile device

This is because the mobile operating system cannot validate the authenticity of the private CA that signed the SSL certificate on the server.

Appdome allows you to get around the private CA problem by adding the self-signed certificates to the app during Fusion.

Learn the Easy Steps to Block Mobile App Bots Using Private Certs & CAs

Follow these step-by-step instructions to add Private Server Certificates and Authorities to Any Mobile App:

Upload a Mobile App to Your Account

Please follow these steps to add a mobile app to your Appdome account.
If you don’t have an Appdome account, click here to create an account.

Select the Build TabNote: a blue underline will appear showing the step is active
Beneath the Build Tab, you will find several service options. Select AccessNote: a blue highlight will appear showing the category is active.

To enable Certificate Pinning:

  1. Open the Appdome Access Suite section
  2. Click and expand Private Server Certificates and Authorities
  3. Toggle Certificate Pinning on
  4. Add your certificates zip file
  5. Click Build My App

Private Server Certificates

To enable Auto-Pin Trusted Domains:

    1. Open the Appdome Access Suite section
    2. Click and expand Private Server Certificates and Authorities
    3. Toggle Auto-Pin Trusted Domains on
    4. Click Build My App

Note: auto-pin is mutually exclusive to manually pinning certificates, selecting one will toggle the other off.

Private Server Certificates and CAs

The certificate chain will be validated based on the certificates you specify during your Fusion.  The technology behind Build My App has two major elements – (1) a microservice architecture filled with 1000s of code sets needed for mobile integrations, and (2) an adaptive code generation engine that can recognize the development environment, frameworks and methods in each app and match the app to the relevant code-sets needed to add certificates and validate them, to the mobile app in seconds. For example, the technology for trusting specific private CAs inside an app, work that ordinarily a developer would need to do.

Congratulations! You now have a mobile app fully integrated with Private Server Certificates and Authorities.

success message appdome Private Server Certificates

Prerequisites for using Appdome Private Server Certificates and Authorities

In order to use Appdome’s no code implementation of Private Server Certificates and Authorities on Appdome, you’ll need:

  • Appdome account
  • Mobile App (.ipa for iOS, or .apk or .aab for Android)
  • Public certificate of the Private CA, including any Intermediate CA certs if used, and the privately signed SSL certificate that is loaded to the destination server in DER format. These are typically .cer or .crt files (not .pem which are in BASE 64 format).
  • Add these to a zip file and give it a name of your choice like Private-Certs-DER.zip and note the location. This zip file will be uploaded to Appdome in following steps.
    Note: The zip file can contain multiple CA and SSL server certs.  
  • Signing Credentials (e.g., signing certificates and provisioning profile)

How to Sign & Publish Secured Mobile Apps Built on Appdome  

After successfully securing your app using Appdome, there are several available options to complete your project, depending on your app lifecycle or workflow. These include 

Or, see this quick reference Releasing Secured Android & iOS Apps built on Appdome. 

 How to Learn More

Check out the full menu of features in the Appdome Mobile Security Suite

If you have any questions, please send them our way at support@appdome.com or via the chat window on the Appdome platform.

Or request a demo at any time.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.

 

Paul Levasseur

Have a question?

Ask an expert

GaliMaking your security project a success!

Get Your Copy
2021 Global Mobile
Consumer Security
Survey