Preventing MitM Attacks on iOS and Android Apps Has Never Been Easier!

I’m very excited to share with you the new and improved Secure Communication offering from Appdome! Preventing MitM attacks has never been easier.

Appdome’s Secure Communication was designed to make coding the logic and methods needed to create secure mobile app connections quick and easy. Now, with enhanced features and a new layout, it’s never been easier to ensure that all mobile app connections are safe and protected from Man-in-the-Middle (MitM) attacks, malicious proxies, certificate pinning bypass and more.

Why Preventing MitM Attacks Is Important to Secure Mobile Apps and Connections

Mobile apps connect to all sorts of external services. They connect to their host server to authenticate users, to download content, to connect to other mobile resources, and more. Mobile apps also connect to 3rd party services embedded in the app, such as payment providers, analytics vendors, location services, and more. As a mobile app connects with the outside world, hackers and malicious parties can intercept and spy on each connection, exploit unprotected connections to steal data, compromise the app, and destroy the user experience and your brand. Preventing MitM attacks is a very important part of ensuring secure connections and delivering a layered security defense. In fact, OWASP, a leading nonprofit foundation that works to improve the security of software, lists insecure communication as one of its OWASP Mobile Top 10 risks.

Top 3 Ways to Prevent MitM Attacks on Mobile apps

Following are the Top 3 ways to Prevent MitM Attacks without code or coding:

  1. Secure the Mobile Connection
  2. Certificate Pinning
  3. Validate the Mobile client to protect against Malicious Bots and other automated programs

I’ll explain how Appdome addressed each of these key areas below.

Appdome Secure Communications: Preventing MitM attacks on mobile apps

With Appdome’s Secure Communication, developers and security team can provide 360° protection for all mobile app connections:

Secure the Mobile Connection by Preventing MitM Attacks

Appdome MitM Attack Prevention prevents attackers from gaining control over the session before the TLS handshake completes. When an application initiates a handshake with the server, Appdome inspects the traffic to validate the integrity and authenticity of certificates, CAs, as well as session state information, and more. This inspection occurs before a would-be attacker can take control over the session or insert an altered certificate as part of the initial handshake. If Appdome detects that any element of the encryption model, session, or certificate has been modified or compromised, the session will be denied (prevent a MitM attack before the attacker can gain control over the session).

MitM Prevention

Validates the authenticity of the SSL certificate used by the destination server. Protects the app from connecting to untrusted, unknown, or malicious destinations or websites.

Malicious Proxy Detection

Detects and prevents connections to unknown, untrusted or malicious proxies or other intermediary devices.

Prohibit Stale Sessions

Prevents unauthorized reuse of stale or expired Sessions and SessionID reclaiming.

Trust World Wide Public CAs

Validates the certificates of OEM public CAs to ensure that they have not been compromised or altered.

Android MitM Prevention from Appdome

Appdome also offers the following optional Session Control features to prevent MitM attacks:

Enforce Cipher Suites

Ensures that only secure or trusted cipher suites are used before allowing TLS sessions to be established with the mobile app.

Enforce TLS Version

Ensures that only secure and up-to-date versions of TLS are used when the mobile app established a TLS session.

Secure Certificate Pinning

Appdome’s Secure Certificate Pinning prevents mobile apps from connecting to compromised servers or endpoints. It encrypts and securely stores the certificate(s) of known trusted servers in the app and validates the certificate before the connection is established. If there is a certificate mismatch, the session is denied or dropped.

Appdome enables developers to verify and pin certificates for specific domains in different methods. Each Service Domain can be configured using * as a wildcard value to impact multiple domains.

Below are the Certificate Pinning Schemes that can be configured using Appdome.

Secure Certificate Pinning Profiles

Appdome offers the following 3 mutually exclusive options (pinning profiles) to implement Secure Certificate Pinning in any iOS or Android app:

  • Chain Evaluation – allows uploading individual certificate files in either PEM or DER format or multiple files in a single ZIP. These certificates will be treated as CA certificates and will replace the default predefined CA certificates for the specific domain.
    Appdome will pin these trusted CA certificates to the app, and use it for session validation to the specified domain.
  • Strict Evaluation – allows uploading individual certificate files in either PEM or DER format or multiple files in a single ZIP. These certificates will be used to create a full certificate pinning with multiple certificates on all sessions. This means that any leaf certificate in a chain received from a server for the specific domain must match one of the certificates given in order to pass verification.
  • No Pinning – certificate chains received for the specific domain will not be verified, but instead all back to the OS’s default verification process.

appdome secure certificate pinning

Appdome offers the following optional Pinning Control features with Secure Certificate Pinning:

Enforce Certificate Roles

Enforces network connections to verify ‘basicConstraints’ extension in the certificate chain.

Enforce Strong RSA Signature

Enforces server certificate signatures to use a Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits.

Enforce Strong ECC Signature

Enforces server certificate signatures to use Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits.

Enforce SHA256 Digest

Enforces server certificate signatures to use at least a SHA256 certificate hashing algorithm.

Validate the Mobile Client to Protect Against Malicious Bots

Appdome Bot Defense protects the mobile backend by preventing compromised mobile clients or endpoints from connecting to enterprise resources or servers.

Mobile Client Certificates

Pins a static client certificate to the mobile app to validate client connections to a protected server or gateway. This protects the backend servers and infrastructure against connections originating from compromised endpoints or malicious bots.

Shared Secret

Specify a secret that will be included in every URL request made by the mobile application. This secret can be verified by the server to identify and only allow connections from trusted/valid applications.

URL Whitelisting

Ensure that the Appdome-secured app can only connect to a trusted set of destinations or hosts specified in a whitelist.

protect mobile apps from malicious bots

Appdome Secure Communication Protects Against These MitM Attacks

Protecting mobile connections is a critical part of a safe and secure mobile app experience for all users. Guarding the connections allows developers and security teams to prevent the following top MitM attacks and threats to mobile business and users: Phishing attacks, MiTM attacks, Malicious proxies, fake/forged/fraudulent certificates, session hijacking, SSL Stripping, Evil Twin attacks and Overlay attacks. Block MitM toolkits such as Charles Proxy, BURP Suite, NMAP, mitm proxy, Wireshark, Metasploit and more.

Each one of the features in Secure Communication is shielded and hardened by Appdome’s ONEShield™, Appdome’s no-code app shielding and hardening solution, which includes  Anti-Tampering, Anti-Debugging, and Anti-reversing protection.  And most importantly, all the features in Secure Communication require no development.

If you want more information on preventing MitM attacks on your mobile app, please download the datasheet.

I look forward to hearing about your experiences and to working with you to protect all your mobile users, together!

No coding required, of course.

Table of Contents

Have a question?

Ask an expert

AvitaMaking your security project a success!

Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore

Build What You Love Automate What You Don’t

Drop us a line and keep in touch