This KB Article explains how to implement Active MiTM attack prevention in any mobile app using Appdome.
What is a Man-in-the-Middle (MitM) attack? MiTM attacks occur when an attacker secretly intercepts a communications session between two parties and takes control over the session. For example, when you login to a mobile banking app and type in your username and password to get authenticated by the bank’s server, the attacker can insert themselves “in the middle” between your app and the bank’s server, where they can intercept and potentially read or alter any information sent between you and the bank. In a MitM attack, both parties may think they are directly communicating with each other in a private session. But in reality, they are actually communicating with the attacker, who has control over the session.
There are two main goals for MitM attacks.
MitM attacks are extremely popular because it can be incredibly hard to tell the difference between an imposter and ‘the real thing’ – even if you are a tech pro. Anyone can fall victim.
Attackers use many different methods to initiate MitM attacks such as session hijacking. Sometimes attackers intercept traffic from unsecured networks or fake Wifi access points. Other times, they modify DNS entries to redirect traffic, or trick users to click on malicious URLs sent via email, SMS, chat sessions in what’s known as a mobile phishing attack.
Hackers often try to hijack sessions at the very beginning of the TLS/SSL handshake, because that gives them the greatest opportunity to control the session. Sometimes the attacker replaces the server’s real certificate with a cryptographically signed fake copy which they present to the app instead. Even if you’re a security expert, it could be tough for users to know the difference. In any case, the goal of a MitM attack is u
The remainder of this KB article will explain how to use Appdome to prevent Man-in-the-middle attacks. The article will describe each specific feature of Appdome’s Active MiTM attack prevention solution, along with step by step instructions on how to implement each feature in any iOS or Android app – instantly without coding.
Appdome is a no-code mobile security and mobile integration platform that allows users to add security features, like RASP, code obfuscation, data encryption and more, as well as mobile threat, mobile fraud, anti-bot and other SDKs and APIs to Android and iOS apps. This KB describes how to use Appdome’s simple ‘click to build’ user interface to quickly and easily build Trusted Session Protection into any mobile app – instantly, no code or coding required.
Using Appdome, there are no development or coding prerequisites. For example, there is no Appdome SDK, libraries, or plug-ins required to implement Trusted Session in order to prevent MiTM Attacks. Trusted Session can be added to any iOS or Android app in seconds, with no code or coding.
You can implement Appdome Active MiTM Prevention to prevent MitM attacks in any iOS or Android app in minutes. Appdome also protects all apps from malicious proxies, modified or untrusted Certificates, and reuse of stale sessions. Appdome MiTM attack prevention can be found in the Appdome Mobile Security Suite and under the category – Secure Communication.
Appdome’s technology prevents attackers from gaining control over the session before the TLS handshake completes. When an application initiates a handshake with the server, Appdome’s technology inspects the traffic to validate the integrity and authenticity of certificates, CAs, as well as session state information, and more. This inspection occurs before a would-be attacker can take control over the session or insert an altered certificate as part of the initial handshake. If Appdome detects that any element of the encryption model or session has been modified, the session is automatically dropped and an App Compromise Notification is presented to the user, thus preventing the MitM attack.
Protecting against MitM attacks and malicious proxies is a critical cyber-defense strategy. Mobile MitM attacks target the connection between a mobile app and the server it connects to. Hackers use different attack methods to execute MitM attacks, including attaching proxies to insecure network or wifi connections, exploiting stale session IDs, modifying or redirecting DNS requests, and more.
If the attacker has control over the user’s network, they could try to impersonate the server-side and replace the server certificate with their own fake or malicious certificate.
Appdome will identify and block the malicious certificate during the SSL Handshake. Appdome prevents the attack by validating the authenticity of the SSL certificate used by the destination server and preventing the application from connecting to untrusted, unknown, or malicious destinations, servers, or websites.
In MitM attacks, it’s common for attackers to proxy traffic through a malicious machine/server/network that they control. For certain protocols (HTTP especially), it may be possible for the attacker to read/modify/steal the content being transmitted, or to conduct ransomware attacks, deposit malware, and much more.
Appdome detects and prevents mobile apps from connecting to malicious proxies. If the mobile device is configured with a proxy server that was configured to send a malicious connection or certificate to the device, Appdome’s technology detects the untrusted certificate and terminates the connection.
Stale sessions can be reclaimed by hackers re-used in their attacks. And many times such reuse of sessions may go unnoticed for months or longer. Appdome detects and prohibits session reuse and reclaimed SessionIDs so that hackers cannot use stale sessions in attacks.
Mobile devices come pre-loaded with an OEM list of trusted CA(s) built-in. However, CA(s) can be installed on the device in malicious ways, or modified by attackers, which makes mobile users vulnerable to MitM and Phishing attacks.
To combat these threats, Appdome continuously maintains an up to date list of publicly trusted CAs (such as Verisign, Go-Daddy and others). When the application creates a trusted session with an SSL server, Appdome checks the connection against an updated and secure list that comes with Appdome. This means that if a certificate was installed on the device but not uploaded via Appdome to the trust store, the CA(s) will not be trusted and the connection will be dropped.
If your application connects to a local enterprise server that uses your company-specific CA certificate (the one which usually needs to be installed on the device in order to authorize the TLS connection), you can pin these certificates to the app/device, and thus eliminate risk of the app connecting to a compromised peer server.
With Appdome Secure Certificate Pinning, certificate validation is performed automatically. Appdome verifies the authenticity of the SSL/TLS certificates received from the server against a predefined set of Certificate Authority (CA) certificates – This first occurs during the initial secure communication exchange (SSL/TLS handshake). The certificate validation process typically proceeds in three steps and typically takes three inputs. The first is the certificate to be validated, the second is any intermediate certificates acquired by the applications, and the third is a store containing the root and intermediate certificates trusted by the application.
You can upload certificates as a file or zip file in any of the following formats: .cer, .crt, .pem, .der, .zip).
This will add your certificate to the list of known and trusted certificates. When Appdome inspects the connection, it validates that the legitimate trusted certificate is being used. If not, the session is dropped.
Appdome also offers “Session Control” options. You can enable these optional settings to increase the security level of various components of the encryption model (for example to increase key strength, specify acceptable cipher suites, enforce TLS versions, and more). Each feature is part of Appdome’s comprehensive MiTM attack prevention. Below is a list of Session Control options available on Appdome (click on the link to learn additional details about each option):
Connections established using a non-approved cipher specification will be regarded as compromised and dropped.
Enforce network connections to conform to TLS 1.2 version or higher.
Enforce network connections to verify ‘basicConstraints’ extension in the certificate chain.
Enforce server certificate signatures to use a Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits.
Enforce server certificate signatures to use Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits.
Enforce server certificate signatures to use at least a SHA256 certificate hashing algorithm.
As covered in RFC 7766, some customers may desire to use TCP instead of UDP for DNS traffic due to the protection it provides against address spoofing and exploitation of DNS in reflection/amplification attacks. Enabling this setting a mobile app will allow DNS requests over TCP to pass undisrupted.
Pin a static client certificate to the built app to authenticate client connections on a MicroVPN gateway.
When an application establishes a connection, some components might alter the IPs that the application sees. The IP Address Visibility option ensures that Appdome reports the actual IP addresses This is important when you are auditing the IP addresses your apps use.
This allows the built app to access a specified list of trusted hosts and destinations.
This specifies a secret that will be included in every URL connection request completed by the app. This defined secret can also be verified by a backend in identifying valid apps.
An App Compromise Notification is a configurable message displayed to the user whenever Appdome detects the application may be compromised. You can customize these messages to display any text you wish the user to see before the application exits.
Follow these step-by-step instructions to protect mobile applications from Man-in-the-Middle and session hijacking attacks:
The technology behind Build My App has two major elements – (1) a microservices architecture filled with 1000s of code sets needed for mobile integrations, and (2) an adaptive code generation engine that can recognize the development environment, frameworks and methods in each app and match the application to the relevant code-sets needed to add the requested service to the mobile application in seconds.
Congratulations! When your integration is complete, you will see the notice below. You now have a mobile app fully integrated with Trusted Session for MiTM attack prevention.
After you’re finished building your app, there are a few additional steps needed to complete your mobile integration project.
How Do I Learn More?
If you have any questions, please send them our way at firstname.lastname@example.org or via the chat window on the Appdome platform.