MicroVPNs are virtual private networks that are specific to an application instead of a device. The purpose of using a MicroVPN in mobile apps is to enable Bring Your Own Device (BYOD) and avoid deploying a VPN client to every device. MicroVPNs allow mobile apps to establish direct and seamless access to corporate resources without a VPN on the device.
This Knowledge Base explains how anyone can use Appdome to add MicroVPNs to mobile apps and establish secure connectivity to corporate networks.
About Adding MicroVPN to Mobile Apps on Appdome
Appdome is a mobile integration platform as a service (iPaaS). Appdome allows users to add a wide variety of features, SDKs and APIs to Android and iOS applications. Using a simple ‘click to add’ user interface, Appdome allows anyone to easily integrate MicroVPN to any mobile app – instantly, no code or coding required.
Appdome MicroVPN is a flexible, all-in-one, mobile enterprise connectivity solution that supports any enterprise standard network gateway such as an SSL gateway, proxy, reverse proxy, or industry standard VPN. Appdome MicroVPN eliminates the need for mobile device VPNs or per application VPNs. Using Appdome MicroVPN each mobile app connects directly and securely to enterprise infrastructures.
Appdome’s MicroVPN does not require all web service endpoints to be published via a gateway or code change to apps to repoint to the newly published addresses of services. Appdome’s MicroVPN can use any SSL gateway, including Microsoft App Proxy, Netscaler and more in two main modes: transparent mode which does not require resources to be publicly published, and reverse proxy mode which is intended for publicly resolvable resources. Modes can also be set on a per resource basis, providing full granular control over the access and connectively model.
Using Appdome, there are no development or coding prerequisites. For example, there is no Appdome SDK, libraries, or plug-ins to implement. Likewise, there are no required infrastructure changes and no dependency on having standard or proprietary VPN protocols inside the mobile apps. The Appdome technology adds MicroVPN and relevant standards, protocols and more to the mobile app automatically.
Appdome for Mobile MicroVPN offers two modes:
On Appdome, you can enable a mobile app to use MicroVPN in two different modes of operation:
- Direct Connection Mode
In this mode, the Appdome MicroVPN layer will act as a secure gateway between the application and the world. Inside the Appdome-Fused application, the original application connects to the Appdome MicroVPN layer. This internal connection is protected by Appdome Security and not visible to the outside world. The Appdome MicroVPN Layer connects securely to the corporate gateway. The Appdome MicroVPN layer authenticates to the corporate gateway, enabling secure mobile app access to internal resources.
- Transparent Proxy Mode:
In this mode, the Appdome MicroVPN layer routes its connection request to a proxy server, so that the proxy server can act as the secure gateway. Corporate proxies are typically accessible via the Internet. The Appdome MicroVPN layer tunnels a secure connection to the proxy to allow the original application to privately connect to the corporate network.
Appdome for Mobile MicroVPN Features:
The most straightforward way of ensuring that connections between mobile apps and corporate networks are secure is to restrict the parameters of the connection. Appdome allows you to control two important parts of the connection used by the Appdome MicroVPN layer.
- Strict Protocol Checking, only connections to protocols in a pre-defined list are permitted. This prevents connections from the fused application to less secure destinations from being established.
- Server Validation, after establishing a connection to a destination, the Appdome-fused app can do advanced checks to verify that the destination is who it says it is and is not a fake or malicious destination that impersonates your destination.
When Strict Protocol Checking is enabled, fused apps will only be able to make connections to secure servers using these algorithms:
DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES256-SHA256, DHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES128-SHA256.
Static Client Pinning
A more advanced security measure is to apply restrictions on the server or gateway which is the destination for the mobile app. If you set up the server or gateway to only accept connections from clients that can identify themselves using specific client certificates, Appdome can integrate the certificates needed to identify the client and present them as part of the secured connections.
Dynamic Client Pinning
Dynamic client pinning is an enterprise extension for static client pinning. It allows the use of a unique client-side certificate distributed by a SCEP server on a per-user basis. Currently, users are identified when fusing an app together with MicroVPN and Microsoft Intune. For more details read this article.
Inclusive routing means you can decide that only some domains (regular expressions can be used) are securely connected using MicroVPN, while other connections that are not included in the domain list are allowed to pass directly. This gives you the option to choose particular settings different domains, which is especially useful for defining multiple profiles with different configurations.
Appdome allows you to define one or more profiles to configure all the above settings. In this manner, you can protect some domains with Static Client Pinning, while protecting others by securing them using Transparent Proxy mode. Note: When using multiple profiles, all the profiles should be set up with Inclusive Routing in order to have the handling of each domain well defined.
Prerequisites for using Appdome MicroVPN
In order to use Appdome’s no code implementation of MicroVPN on Appdome, you’ll need:
- Appdome account – IDEAL or Higher.
- Mobile App (.ipa for iOS, or .apk for Android)
- Enterprise-grade SSL gateway, proxy, reverse proxy, or industry standard VPN that is the authentication or termination endpoint for the MicroVPN
- List of internal domains the mobile app will access
- Client-side certificates (PEM+key) for Static Client Pinning
- Signing Credentials (e.g., signing certificates and provisioning profile)
How to Add MicroVPN to Mobile Apps on Appdome
Follow these step-by-step instructions to add MicroVPN to mobile apps on Appdome:
Upload a Mobile App to Your Account
Please follow these steps to add a mobile app to your Appdome account.
If you don’t have an Appdome account, click here to create an account.
From the “Fuse” tab, Add MicroVPN
Select the Fuse Tab. Note: a blue underline will appear showing the step is active.
From within the Fuse Tab:
- Go to the Access tab
- Toggle on Enable MicroVPN
- Click on Add Profile +
- Name your new profile
- Choose the features you want to enable.
Note that all the features are optional, and any combination can be chosen. If none of the features are on, Appdome will take basic measures to ensure connection hardening (by ensuring the application’s connection uses a secure TSL/SSL connection).
5.1. Toggle on the Inclusive Routing feature when you can click + Add button to add domains that will be protected. When this toggle is off all domains are protected (and you can only have a single profile). You can add multiple domains and the domains support * as a wildcard that will match any sub-domain.
5.2. Toggle on Transparent proxy mode and enter the proxy domain (can contain port in the standard format host:port)
5.3. Toggle on session hardening to enable Strict Protocol Checking and/or Server Validation
5.4. Toggle on Static Client Pinning and add the client certificate. The certificate is added in PEM format as two separate files, the certificate itself and its key file.
- Optionally you can setup more profiles
- Click Fuse My App
The technology behind Fuse My App has two major elements – (1) a micro service architecture filled with 1000s of code sets needed for mobile integrations, and (2) an adaptive code generation engine that can recognize the development environment, frameworks and methods in each app and match the app to the relevant code-sets needed to add MicroVPN to the mobile app in seconds.
Congratulations! When your implementation is complete, you’ll see the notice below. You now have a mobile app fully integrated with MicroVPN.
After Adding MicroVPN to a Mobile App on Appdome
After you have added MicroVPN to any mobile app on Appdome, there are a few additional steps needed to complete your mobile integration project.
Add Context™ to the Appdome-Fused App
Appdome is a full featured mobile integration platform. Within Context™, Appdome users can brand the app, including adding a favicon to denote the new service added to the application.
For more information on the range of options available in Context™, please read this knowledge base article.
Sign the MicroVPN enabled Appdome-Fused App (Required)
In order to deploy an Appdome-Fused application, it must be signed. Signing iOS app and Signing an Android app are easy using Appdome. Alternatively, you can use Private Signing, download your unsigned application and sign locally using your own signing methods.
Deploy the Appdome-Fused App to a Mobile Device
Once you have signed your Appdome-Fused application, you can download to deploy it using your distribution method of choice. For more information on deploying your Appdome-Fused applications, please read this knowledge base.
That is it – Enjoy MicroVPN in your application!
How Do I Learn More?
If you have any questions, please send them our way at firstname.lastname@example.org or via the chat window on the Appdome platform.