About Enforce TLS Cipher-Suites
The TLS/SSL protocol has been around for a very long time, and it supports a wide range of cryptographic algorithms for establishing a secure communication channel and communicating over it.
The protocol still supports some cryptographic algorithms that are now considered outdated, and it is not uncommon for some servers to have outdated configurations.
The reason these algorithms were deemed inadequate is twofold:
- Some algorithms were proven to have weaknesses.
- With the increase in available computing power, some algorithms have become susceptible to brute-force attacks.
So, for example, you might only want to allow connections where:
- The key is established via Elliptic Curve Diffie-Hellman (ECDH)
- The Digital Signature Algorithms (DSA) are done with Elliptic Curves (ECDSA)
- The channel is encrypted using Galois Counter Mode (GCM) where the block encryption is AES with a key size of 256 (AES256)
- The hash can only be SHA384
For these reasons, many organizations seek to enforce a limitation on allowed cipher suites used in their software. e.g. NIAP’s section on cryptographic support (FCS).
In addition, it is not uncommon for attackers to intentionally impersonate servers or weaken their parameters in order to make secure channels not-so-secure anymore.
Enforce TLS Cipher Suites Quickly and Easily
Implementing and especially maintaining such measures is a difficult task. Sometimes the source code is not available, and more often the services are on uncontrolled endpoints.
Appdome is a mobile integration platform as a service (iPaaS) that allows users to add a wide variety of features, SDKs, and APIs to Android and iOS apps. Using a simple ‘click to add’ user interface, Appdome allows anyone to easily implement Trusted Session Inspection to any mobile app – instantly, no code or coding required.
Using Appdome, there are no development or coding prerequisites. For example, there is no Appdome SDK, libraries, or plug-ins to implement enforcement of TLS cipher suites. TLS cipher spec enforcement can be added to any iOS or Android app in seconds, with no code or coding.
Prerequisites for using Trusted Session Inspection
How to Enforce TLS Cipher Suites in Any Mobile App on Appdome
Follow these step-by-step instructions to enforce your permitted cipher suites:
Upload a Mobile App to Your Account
Please follow these steps to add a mobile app to your Appdome account.
If you don’t have an Appdome account, click here to create an account.
From the “Build” tab, go to the Security menu.
- Click Secure Communications to expend the bundle
- Click on the toggle to enable Trusted Session
- Expand Session Management.
- Toggle the “Enforce Cipher-Suites” switch
- Click Choose File and upload your list of allowed cipher suites. You don’t already have such a file, you can use this template and remove any cipher-suite you want to disallow.
- Enable +DEV Events to configure this security alert on your app.
- Click Build My App
The technology behind Build My App has two major elements – (1) a microservices architecture filled with 1000s of code sets needed for mobile integrations, and (2) an adaptive code generation engine that can recognize the development environment, frameworks and methods in each app and match the app to the relevant code-sets needed to add the requested service to the mobile app in seconds.
Congratulations! When your integration is complete, you will see the notice below. Your new mobile app will now enforce TLS cipher suites.
What to do After I Build My App?
After you have added TLS cipher-suite enforcement to any Mobile App on Appdome, there are a few additional steps needed to complete your mobile integration project.