How to use SecureAPI™ for Certificate Validation
With the Trusted Session feature, Appdome performs certificate validation by verifying the authenticity of the SSL certificates received from the server against a predefined set of Certificate Authority (CA) certificates – This first occurs during the initial secure communication exchange (SSL handshake).
SecureAPI™ allows the user to verify certificates for specific domains in different methods. Each Service Domain can be configured using * as a wildcard value to impact multiple domains.
The default behavior for a Service Domain on an app Built on Appdome is to validate with known CA certificates. Here are the SecureAPITM Schemes that can be configured with SecureAPITM :
- Chain Evaluation – allows uploading individual certificate files in either PEM or DER format or multiple files in a single ZIP. These certificates will be treated as CA certificates and will replace the default predefined CA certificates for the specific domain.
Appdome will pin this trusted CA certificates to the app, and use it for session validation to the specified domain.
- Strict Evaluation – allows uploading individual certificate files in either PEM or DER format or multiple files in a single ZIP. These certificates will be used to create a full certificate pinning with multiple certificates on all sessions. This means that any leaf certificate in a chain received from a server for the specific domain must match one of the certificates given in order to pass verification.
- No Pinning – certificate chains received for the specific domain will not be verified by Appdome and they will normally fall back to the OS’s default verification process.
Appdome strives to allow users full flexibility while protecting their apps and performing certificate validations. When enabled Appdome’s Protect Service Domains Only apply Trusted Session protections and validation only to domains included in the Service Domain list. All other domains will remain unprotected.
This service allows you to optionally enforce certificate validation only on your own domains only, excluding secondary domains from the certificate validation process.
Prerequisites for Using SecureAPITM
- Appdome account
- Appdome-DEV access
- Mobile App (.ipa for iOS, or .apk or .aab for Android)
- Signing Credentials (e.g., signing certificates and provisioning profile)
How to use SecureAPITM for Certificate Validation
Follow these step-by-step instructions to enforce SecureAPITM:
Upload a Mobile App to Your Account
From the Build tab, go to the Security menu.
- Click Secure Communications to expend the bundle
- Click on the toggle to enable Trusted Session
- Expand SecureAPITM.
- Add a Pinning Profile.
- Enter a Service Domain.
- Select a Pinning Scheme.
- Add Certificate(s).
- If you want to add another Service Domain click Add Pinning Profile.
- (Optional) Enable Protect Service Domains Only to apply Trusted Session protections and validation only to domains included in the Service Domain list.
- Click Build My App.
The technology behind Build My App has two major elements – (1) a microservice architecture filled with 1000s of code sets needed for mobile integrations, and (2) an adaptive code generation engine that can recognize the development environment, frameworks and methods in each app and match the app to the relevant code-sets needed to add SecureAPITM to the mobile app in seconds.
Congratulations! You now have a mobile app fully integrated with SecureAPITM.
What to do After I Build My App?
After you’ve implemented SecureAPITM in any mobile application on Appdome, there are a few additional steps needed to complete your mobile integration project.
Please view the article here on How to Complete My Mobile Integration Project After I Build My App.
That is it – Your applications now have the most comprehensive SecureAPITM configuration with Trusted Session.
How Do I Learn More?
If you have any questions, please send them our way at firstname.lastname@example.org or via the chat window on the Appdome platform.