I’m very excited to share with you the new and improved Secure Communication offering from Appdome! Preventing MitM attacks has never been easier.
Appdome’s Secure Communication was designed to make coding the logic and methods needed to create secure mobile app connections quick and easy. Now, with enhanced features and a new layout, it’s never been easier to ensure that all mobile app connections are safe and protected from Man-in-the-Middle (MitM) attacks, malicious proxies, certificate pinning bypass and more.
Why Preventing MitM Attacks Is Important to Secure Mobile Apps and Connections
Mobile apps connect to all sorts of external services. They connect to their host server to authenticate users, to download content, to connect to other mobile resources, and more. Mobile apps also connect to 3rd party services embedded in the app, such as payment providers, analytics vendors, location services, and more. As a mobile app connects with the outside world, hackers and malicious parties can intercept and spy on each connection, exploit unprotected connections to steal data, compromise the app, and destroy the user experience and your brand. Preventing MitM attacks is a very important part of ensuring secure connections and delivering a layered security defense. In fact, OWASP, a leading nonprofit foundation that works to improve the security of software, lists insecure communication as one of its OWASP Mobile Top 10 risks.
Top 3 Ways to Prevent MitM Attacks on Mobile apps
Following are the Top 3 ways to Prevent MitM Attacks without code or coding:
- Secure the Mobile Connection
- Certificate Pinning
- Validate the Mobile client to protect against Malicious Bots and other automated programs
I’ll explain how Appdome addressed each of these key areas below.
With Appdome’s Secure Communication, developers and security team can provide 360° protection for all mobile app connections:
Secure the Mobile Connection by Preventing MitM Attacks
Appdome MitM Attack Prevention prevents attackers from gaining control over the session before the TLS handshake completes. When an application initiates a handshake with the server, Appdome inspects the traffic to validate the integrity and authenticity of certificates, CAs, as well as session state information, and more. This inspection occurs before a would-be attacker can take control over the session or insert an altered certificate as part of the initial handshake. If Appdome detects that any element of the encryption model, session, or certificate has been modified or compromised, the session will be denied (prevent a MitM attack before the attacker can gain control over the session).
Validates the authenticity of the SSL certiﬁcate used by the destination server. Protects the app from connecting to untrusted, unknown, or malicious destinations or websites.
Malicious Proxy Detection
Detects and prevents connections to unknown, untrusted or malicious proxies or other intermediary devices.
Prohibit Stale Sessions
Prevents unauthorized reuse of stale or expired Sessions and SessionID reclaiming.
Trust World Wide Public CAs
Validates the certiﬁcates of OEM public CAs to ensure that they have not been compromised or altered.
Appdome also offers the following optional Session Control features to prevent MitM attacks:
Enforce Cipher Suites
Ensures that only secure or trusted cipher suites are used before allowing TLS sessions to be established with the mobile app.
Enforce TLS Version
Ensures that only secure and up-to-date versions of TLS are used when the mobile app established a TLS session.
Secure Certificate Pinning
Appdome’s Secure Certiﬁcate Pinning prevents mobile apps from connecting to compromised servers or endpoints. It encrypts and securely stores the certiﬁcate(s) of known trusted servers in the app and validates the certiﬁcate before the connection is established. If there is a certiﬁcate mismatch, the session is denied or dropped.
Appdome enables developers to verify and pin certificates for specific domains in different methods. Each Service Domain can be configured using * as a wildcard value to impact multiple domains.
Below are the Certificate Pinning Schemes that can be configured using Appdome.
Secure Certificate Pinning Profiles
Appdome offers the following 3 mutually exclusive options (pinning profiles) to implement Secure Certificate Pinning in any iOS or Android app:
- Chain Evaluation – allows uploading individual certificate files in either PEM or DER format or multiple files in a single ZIP. These certificates will be treated as CA certificates and will replace the default predefined CA certificates for the specific domain.
Appdome will pin these trusted CA certificates to the app, and use it for session validation to the specified domain.
- Strict Evaluation – allows uploading individual certificate files in either PEM or DER format or multiple files in a single ZIP. These certificates will be used to create a full certificate pinning with multiple certificates on all sessions. This means that any leaf certificate in a chain received from a server for the specific domain must match one of the certificates given in order to pass verification.
- No Pinning – certificate chains received for the specific domain will not be verified, but instead all back to the OS’s default verification process.
Appdome offers the following optional Pinning Control features with Secure Certificate Pinning:
Enforce Certiﬁcate Roles
Enforces network connections to verify ‘basicConstraints’ extension in the certiﬁcate chain.
Enforce Strong RSA Signature
Enforces server certiﬁcate signatures to use a Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits.
Enforce Strong ECC Signature
Enforces server certiﬁcate signatures to use Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits.
Enforce SHA256 Digest
Enforces server certiﬁcate signatures to use at least a SHA256 certiﬁcate hashing algorithm.
Validate the Mobile Client to Protect Against Malicious Bots
Appdome Bot Defense protects the mobile backend by preventing compromised mobile clients or endpoints from connecting to enterprise resources or servers.
Mobile Client Certiﬁcates
Pins a static client certiﬁcate to the mobile app to validate client connections to a protected server or gateway. This protects the backend servers and infrastructure against connections originating from compromised endpoints or malicious bots.
Specify a secret that will be included in every URL request made by the mobile application. This secret can be veriﬁed by the server to identify and only allow connections from trusted/valid applications.
Ensure that the Appdome-secured app can only connect to a trusted set of destinations or hosts specified in a whitelist.
Appdome Secure Communication Protects Against These MitM Attacks
Protecting mobile connections is a critical part of a safe and secure mobile app experience for all users. Guarding the connections allows developers and security teams to prevent the following top MitM attacks and threats to mobile business and users: Phishing attacks, MiTM attacks, Malicious proxies, fake/forged/fraudulent certificates, session hijacking, SSL Stripping, Evil Twin attacks and Overlay attacks. Block MitM toolkits such as Charles Proxy, BURP Suite, NMAP, mitm proxy, Wireshark, Metasploit and more.
Each one of the features in Secure Communication is shielded and hardened by Appdome’s ONEShield™, Appdome’s no-code app shielding and hardening solution, which includes Anti-Tampering, Anti-Debugging, and Anti-reversing protection. And most importantly, all the features in Secure Communication require no development.
If you want more information on preventing MitM attacks on your mobile app, please download the datasheet.
I look forward to hearing about your experiences and to working with you to protect all your mobile users, together!
No coding required, of course.