Enforce Certificate Roles
What are certificate roles, why are they important?
Let’s get back to basics: How does your application know that the resource it’s accessing is truly www.your-company-domain.com?
Well, during the connection’s negotiation, the remote service presents its certificate which roughly has two interesting parameters:
- Domain: This is how we verify that the domain we intended to connect is the same domain we got connected to.
This, however, raises a question: Can’t a malicious domain just present a certificate with your domain?
What solves this is the second property – the next certificate in the chain of trust - Issuer: This is the identity of a “higher” certificate that “signed” the “lower” certificate.
Signing is a cryptographically safe method that helps test whether a “lower” certificate was modified.
But how do we trust the issuer? Well, the issuer also has an issuer of its own, and this goes all the way up to an issuer that’s trusted by the platform on which your application runs.
The certificate presented by the server is called a “leaf” certificate, while each issuer is called a CA (Certificate Authority). These are, in essence, the roles of these certificates.
For example, the “chain-of-trust” in a normal connection might be:
*.your-company-domain.comsigned by “Go Daddy Secure Certificate Authority – G2”- “Go DaddySecure Certificate Authority – G2” signed by “Go Daddy Root Certificate Authority – G2”
- “Go Daddy Root Certificate Authority – G2” trusted by your browser/Android/iPhone.
However, there no functional difference between certificates, regardless of their roles. So while leaf certificates are not meant to be used as certificate-authorities, each certificate can be used to sign another certificate. This makes the following chain also 100% correct:
*.your-company-domain.comsigned by*.malicious-domain.com*.malicious-domain.comsigned by “Go Daddy Secure Certificate Authority – G2”
The attacker can obtain this certificate legitimately as it’s not different from buying a certificate for your own domain.- “Go DaddySecure Certificate Authority – G2” signed by “Go Daddy Root Certificate Authority – G2”
- “Go Daddy Root Certificate Authority – G2” trusted by your browser/Android/iPhone.
So your application could blindly trust a connection to www.malicious-domain.com, thinking it iswww.your-comany-domain.com.
So how can this be enforced? Very simple, just include in each certificate information about its role. This is a common extension called “Basic-Constraints”.
The catch is that if a certificate does not have this extension, an SSL(TLS) implementation won’t enforce it.
This is why it’s important to enforce the presence of the Basic-Constraints extension and the roles of the certificates in the chain.
Enforcing the Certificate Roles
Implementing and especially maintaining such measures is a difficult task. Sometimes the source code is not available, and more often the services are on uncontrolled endpoints.
Appdome is a mobile integration platform as a service (iPaaS) that allows users to add a wide variety of features, SDKs, and APIs to Android and iOS apps. Using a simple ‘click to add’ user interface, Appdome allows anyone to easily implement Trusted Session Inspection to any mobile app – instantly, no code or coding required.
Using Appdome, there are no development or coding prerequisites. For example, there is no Appdome SDK, libraries, or plug-ins to implement Certificate Roles Enforcement. Certificate Roles Enforcement can be added to any iOS or Android app in seconds, with no code or coding.
Prerequisites for using Enforce Certificate Roles
- Appdome account – IDEAL or higher.
- Appdome-DEV access
- Mobile App (.ipa for iOS, or .apk or .aab for Android)
- Signing Credentials (e.g., signing certificates and provisioning profile)
How to Add Enforce Certificate Roles to Any Mobile App on Appdome
Follow these step-by-step instructions to add Certificate Roles Enforcement:
Upload a Mobile App to Your Account
Please follow these steps to add a mobile app to your Appdome account.
If you don’t have an Appdome account, click here to create an account.
From the “Build” tab, go to the Security menu.
- Click Secure Communications to expand the bundle.
- Click on the toggle to enable Trusted Session.
- Expand the sub-bundle Session Management.
- Toggle the Enforce Certificate Roles switch
- Enable +DEV Events to configure this security alert on your app
- Click Build My App
The technology behind Build My App has two major elements – (1) a micro-service architecture filled with 1000s of code sets needed for mobile integrations, and (2) an adaptive code generation engine that can recognize the development environment, frameworks and methods in each app and match the app to the relevant code-sets needed to add the requested service to the mobile app in seconds.
Congratulations! When your integration is complete, you will see the notice below. You now have a mobile app fully integrated with Enforce Certificate Roles.
What to do After I Build My App?
After you have added Enforce Certificate Roles to any Mobile App on Appdome, there are a few additional steps needed to complete your mobile integration project.
Please view the article here on How to Complete My Mobile Integration Project After I Build My App.
That is it – Your applications will now reject any communication that does not meet the recommended version requirements.
How Do I Learn More?
You can read more about CA certificates here.
If you are interested in limiting other aspects of TLS, you should check out how you can Enforce Communications’ Cipher Suites.
You can also enforce the version of the TLS protocol.
This feature is just one of many offered in the course of Trusted Session Inspection.
To zoom out on this topic, visit Appdome for Mobile App Security on our website.
If you have any questions, please send them our way at support@appdome.com or via the chat window on the Appdome platform.
Thank you!
Thanks for visiting Appdome! Our mission is to make mobile integration easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.