How to Enforce TLS Certificate Roles, Android & iOS Apps

Learn how to to Enforce SSL TLS Certificate Roles in Android & iOS Apps to protect mobile app data-in-transit and ensure safe connections.

TLS Certificate Role Enforcement – Why it’s Important to Secure Android & iOS App Sessions 

Let’s get back to basics: How does your application know that the resource it’s accessing is truly www.your-company-domain.com?

Well, during the connection’s negotiation, the remote service presents its certificate which roughly has two interesting parameters:

  1. Domain: This is how we verify that the domain we intended to connect is the same domain we got connected to.
    This, however, raises a question: Can’t a malicious domain just present a certificate with your domain?
    What solves this is the second property – the next certificate in the chain of trust
  2. Issuer: This is the identity of a “higher” certificate that “signed” the “lower” certificate.
    Signing is a cryptographically safe method that helps test whether a “lower” certificate was modified.

But how do we trust the issuer? Well, the issuer also has an issuer of its own, and this goes all the way up to an issuer that’s trusted by the platform on which your application runs.

The certificate presented by the server is called a “leaf” certificate, while each issuer is called a CA (Certificate Authority). These are, in essence, the roles of these certificates.

For example, the “chain-of-trust” in a normal connection might be:

  • *.your-company-domain.com signed by “Go Daddy Secure Certificate Authority – G2”
  • “Go DaddySecure Certificate Authority – G2” signed by “Go Daddy Root Certificate Authority – G2”
  • “Go Daddy Root Certificate Authority – G2” trusted by your browser/Android/iPhone.

Enforce Certificate Roles to protect Android and iOS apps

However, there is no functional difference between certificates, regardless of their roles. So while leaf certificates are not meant to be used as certificate-authorities, each certificate can be used to sign another certificate. This makes the following chain also 100% correct:

  • *.your-company-domain.com signed by *.malicious-domain.com
  • *.malicious-domain.com signed by “Go Daddy Secure Certificate Authority – G2”
    The attacker can obtain this certificate legitimately as it’s not different from buying a certificate for your own domain.
  • “Go DaddySecure Certificate Authority – G2” signed by “Go Daddy Root Certificate Authority – G2”
  • “Go Daddy Root Certificate Authority – G2” trusted by your browser/Android/iPhone.

So your application could blindly trust a connection to www.malicious-domain.com, thinking it iswww.your-comany-domain.com.

So how can this be enforced? Very simple, just include in each certificate information about its role. This is a common extension called “Basic-Constraints”.

The catch is that if a certificate does not have this extension, an SSL(TLS) implementation won’t enforce it.

This is why it’s important to enforce the presence of the Basic-Constraints extension and the roles of the certificates in the chain.

Implementing and especially maintaining such measures is a difficult task. Sometimes the source code is not available, and more often the services are on uncontrolled endpoints.

Appdome is a no-code mobile app security platform designed to add security features, like Certificate Role Enforcement to Android & iOS apps without coding. This KB shows mobile developers, DevSec and security professionals how to use Appdome’s simple ‘click to build’ user interface to quickly and easily protect mobile data in transit. 

3 Easy Steps to Enforce TLS Certificate Roles in Android & iOS Apps

Please follow these 3 easy steps to Enforce TLS Certificate Roles in Android & iOS Apps

  1. Upload an Android or iOS App to Appdome’s no code security platform (.apk, .aab, or .ipa)
  2. Under Build, Click Security, then Secure Communications,  switch ON Trusted Session, Expand Session Management, switch ON Enforce Certificate Roles– (optional) Enable Threat Events to configure a Threat Alert
  3. Click Build My App

Enforce TLS SSL Certificate Roles in mobile apps

Appdome’s no-code mobile app security platform offers mobile developers, DevSec and security professionals a convenient and reliable way to protect Android and iOS apps with Enforce Certificate Roles. When an Appdome user clicks “Build My App,” Appdome leverages a microservice architecture filled with 1000s of security plugins, and an adaptive code generation engine that matches the correct required plugins to the development environment, frameworks, and methods in each app.

Prerequisites for Enforce TLS Certificate Roles

Here’s what you need to build secured apps with Enforce TLS Certificate Roles

No Coding Dependency

Using Appdome, there are no development or coding prerequisites to build secured apps.  There is no SDK and no library to manually code or implement in the app. The Appdome technology adds the relevant standards, frameworks, and logic to the app automatically, with no manual development work at all.

How to Sign & Publish Secured Mobile Apps Built on Appdome  

After successfully securing your app using Appdome, there are several available options to complete your project, depending on your app lifecycle or workflow. These include 

Or, see this quick reference Releasing Secured Android & iOS Apps built on Appdome. 

How To Learn More?

You can read more about CA certificates here.

If you are interested in securing other aspects of TLS, you can check out how you can Enforce Communications’ Cipher Suites.

You can also enforce the version of the TLS protocol.

This feature is just one of many offered in the course of Trusted Session Inspection.

To zoom out on this topic, visit Appdome for Mobile App Security on our website.

If you have any questions, please send them our way at support@appdome.com or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.

Alan Bavosa

Have a question?

Ask an expert

GilMaking your security project a success!