No-code Active MitM Attack Prevention for mobile apps

This KB Article explains how to implement  Active MiTM attack prevention in any mobile app using Appdome.

MitM Attacks Explained 

What is a Man-in-the-Middle (MitM) attack?  MiTM attacks occur when an attacker secretly intercepts a communications session between two parties and takes control over the session. For example, when you login to a mobile banking app and type in your username and password to get authenticated by the bank’s server, the attacker can insert themselves  “in the middle” between your app and the bank’s server, where they can intercept and potentially read or alter any information sent between you and the bank. In a MitM attack, both parties may think they are directly communicating with each other in a private session. But in reality, they are actually communicating with the attacker, who has control over the session. 

WHY Do Attackers Execute MitM Attacks?  

There are two main goals for MitM attacks. 

  1. Data Harvesting: MitM attacks are an easy way for hackers to steal or harvest data ‘in transit’ from the app to the server. Using MitM attacks (and other forms of network or session hijacking techniques) a malicious attacker can gain access to valuable data, such as usernames, passwords, secrets, API keys and other valuable information. They either monetize this information, or use it later in other attacks, such as to infiltrate the ‘backend’ systems or server.  
  2. Malware delivery:  Sometimes attackers trick unsuspecting users into downloading malware. For instance, the attacker may pretend to be your bank or your IT department (or some other trusted entity) and ask you to download or update a mobile application – which looks like the real app, but it’s really a fake copy of the real app with malware embedded inside. Once you download the app, the malware activates (usually at some later time so that you don’t suspect it).

MitM attacks are extremely popular because it can be incredibly hard to tell the difference between an imposter and  ‘the real thing’ – even if you are a tech pro. Anyone can fall victim.

HOW Do Attackers Execute MitM Attacks?  

Attackers use many different methods to initiate MitM attacks such as session hijacking. Sometimes attackers intercept traffic from unsecured networks or fake Wifi access points. Other times, they modify DNS entries to redirect traffic, or trick users to click on malicious URLs sent via email, SMS, chat sessions in what’s known as a mobile phishing attack.

Hackers often try to hijack sessions at the very beginning of the TLS/SSL handshake, because that gives them the greatest opportunity to control the session.  Sometimes the attacker replaces the server’s real certificate with a cryptographically signed fake copy which they present to the app instead. Even if you’re a security expert, it could be tough for users to know the difference.  In any case, the goal of a MitM attack is u

The remainder of this KB article will explain how to use Appdome to prevent Man-in-the-middle attacks.  The article will describe each specific feature of Appdome’s Active MiTM attack prevention solution, along with step by step instructions on how to implement each feature in any iOS or Android app – instantly without coding. 

How to use Appdome to prevent MitM attacks  

Appdome is a no-code mobile security and mobile integration platform that allows users to add security features, like RASP, code obfuscation, data encryption and more, as well as mobile threat, mobile fraud, anti-bot and other SDKs and APIs to Android and iOS apps. This KB describes how to use Appdome’s simple ‘click to build’ user interface to quickly and easily build Trusted Session Protection into any mobile app – instantly, no code or coding required.

Using Appdome, there are no development or coding prerequisites. For example, there is no Appdome SDK, libraries, or plug-ins required to implement Trusted Session in order to prevent MiTM Attacks.  Trusted Session can be added to any iOS or Android app in seconds, with no code or coding.

Overview of Appdome’s Active MitM Prevention solution

You can implement Appdome Active MiTM Prevention to prevent MitM attacks in any iOS or Android app in minutes.  Appdome also protects all apps from malicious proxies, modified or untrusted Certificates, and reuse of stale sessions.  Appdome MiTM attack prevention can be found in the Appdome Mobile Security Suite and under the category – Secure Communication.

Appdome’s technology prevents attackers from gaining control over the session before the TLS handshake completes. When an application initiates a handshake with the server, Appdome’s technology inspects the traffic to validate the integrity and authenticity of certificates, CAs, as well as session state information, and more. This inspection occurs before a would-be attacker can take control over the session or insert an altered certificate as part of the initial handshake.  If Appdome detects that any element of the encryption model or session has been modified, the session is automatically dropped and an App Compromise Notification is presented to the user, thus preventing the MitM attack. 

Appdome Trusted Session feature for MiTM attack prevention

Appdome Active MiTM Attack Prevention Features

MiTM Prevention

Protecting against MitM attacks and malicious proxies is a critical cyber-defense strategy. Mobile MitM attacks target the connection between a mobile app and the server it connects to. Hackers use different attack methods to execute MitM attacks, including attaching proxies to insecure network or wifi connections, exploiting stale session IDs, modifying or redirecting DNS requests, and more.

If the attacker has control over the user’s network, they could try to impersonate the server-side and replace the server certificate with their own fake or malicious certificate. 

Appdome will identify and block the malicious certificate during the SSL Handshake. Appdome prevents the attack by validating the authenticity of the SSL certificate used by the destination server and preventing the application from connecting to untrusted, unknown, or malicious destinations, servers, or websites. 

Malicious Proxy Prevention

In MitM attacks, it’s common for attackers to proxy traffic through a malicious machine/server/network that they control. For certain protocols (HTTP especially), it may be possible for the attacker to read/modify/steal the content being transmitted, or to conduct ransomware attacks, deposit malware, and much more. 

Appdome detects and prevents mobile apps from connecting to malicious proxies. If the mobile device is configured with a proxy server that was configured to send a malicious connection or certificate to the device, Appdome’s technology detects the untrusted certificate and terminates the connection.

Prohibit Stale Sessions 

Stale sessions can be reclaimed by hackers re-used in their attacks. And many times such reuse of sessions may go unnoticed for months or longer.  Appdome detects and prohibits session reuse and reclaimed SessionIDs so that hackers cannot use stale sessions in attacks. 

Trust World Wide Public CAs

Mobile devices come pre-loaded with an OEM list of trusted CA(s) built-in. However,  CA(s) can be installed on the device in malicious ways, or modified by attackers, which makes mobile users vulnerable to MitM and Phishing attacks.

To combat these threats, Appdome continuously maintains an up to date list of publicly trusted CAs (such as Verisign,  Go-Daddy and others). When the application creates a trusted session with an SSL server, Appdome checks the connection against an updated and secure list that comes with Appdome. This means that if a certificate was installed on the device but not uploaded via Appdome to the trust store, the CA(s) will not be trusted and the connection will be dropped.

Secure Certificate Pinning   

If your application connects to a local enterprise server that uses your company-specific CA certificate (the one which usually needs to be installed on the device in order to authorize the TLS connection), you can pin these certificates to the app/device, and thus eliminate risk of the app connecting to a compromised peer server.  

Appdome Secure Certificate Pinning for MiTM attack prevention

With Appdome Secure Certificate Pinning, certificate validation is performed automatically. Appdome verifies the authenticity of the SSL/TLS certificates received from the server against a predefined set of Certificate Authority (CA) certificates – This first occurs during the initial secure communication exchange (SSL/TLS handshake). The certificate validation process typically proceeds in three steps and typically takes three inputs. The first is the certificate to be validated, the second is any intermediate certificates acquired by the applications, and the third is a store containing the root and intermediate certificates trusted by the application.

You can upload certificates as a file or zip file in any of the following formats:  .cer, .crt, .pem, .der, .zip). 

This will add your certificate to the list of known and trusted certificates. When Appdome inspects the connection, it validates that the legitimate trusted certificate is being used. If not, the session is dropped. 

Session Control

Appdome also offers “Session Control” options. You can enable these optional settings to increase the security level of various components of the encryption model (for example to increase key strength, specify acceptable cipher suites, enforce TLS versions, and more). Each feature is part of Appdome’s comprehensive MiTM attack prevention. Below is a list of Session Control options available on Appdome (click on the link to learn additional details about each option): 

Enforce Cipher Suites

Connections established using a non-approved cipher specification will be regarded as compromised and dropped. 

Enforce TLS versions

Enforce network connections to conform to TLS 1.2 version or higher.

Enforce Certificate Roles

Enforce network connections to verify ‘basicConstraints’ extension in the certificate chain.

Enforce Strong RSA Signature

Enforce server certificate signatures to use a Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits.

Enforce Strong ECC Signature

Enforce server certificate signatures to use Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits.

Enforce SHA256 Digest

Enforce server certificate signatures to use at least a SHA256 certificate hashing algorithm.

Permit DNS over TCP

As covered in RFC 7766, some customers may desire to use TCP instead of UDP for DNS traffic due to the protection it provides against address spoofing and exploitation of DNS in reflection/amplification attacks. Enabling this setting a mobile app will allow DNS requests over TCP to pass undisrupted.  

Static Client Pinning

Pin a static client certificate to the built app to authenticate client connections on a MicroVPN gateway.

IP Address Visibility

When an application establishes a connection, some components might alter the IPs that the application sees. The IP Address Visibility option ensures that Appdome reports the actual IP addresses  This is important when you are auditing the IP addresses your apps use. 

Other Features in Appdome’s Secure Communication Category

URL Whitelisting

This allows the built app to access a specified list of trusted hosts and destinations.
URL Whitelisting in Appdome for MiTM attack prevention

Shared Secret

This specifies a secret that will be included in every URL connection request completed by the app. This defined secret can also be verified by a backend in identifying valid apps.

  • Secret Text – This is the unique text you’ve defined for your app to use as a secret text.
  • Signature Header – Optionally an app builder can specify a name for the signature header.

Shared Secret in Appdome

+DEV Events

In the case of a security event, with +DEV-Events   disabled (i.e., “off”), Trusted Session shows the user the App Compromise Notification and exits the application. When +DEV-Events enabled (i.e., “on”), Trusted Session causes the application to send an event to your application with detailed information about the security issue detected. With +DEV-Events enabled, the application will not exit. Instead, the developer must design the workflow inside the application to achieve the desired outcome.
Read Configuring Appdome Security Alerts for configuration details and more info.

App Compromise Notification

An App Compromise Notification is a configurable message displayed to the user whenever Appdome detects the application may be compromised. You can customize these messages to display any text you wish the user to see before the application exits.

Prerequisites for using Active MitM Prevention

How to Add Active MitM Prevention to Any Mobile App using Appdome 

Follow these step-by-step instructions to protect mobile applications from Man-in-the-Middle and session hijacking attacks:

Upload a Mobile Application to Your Account

Please follow these steps to add a mobile application to your Appdome account.
If you don’t have an Appdome account, click here to create an account.

From the “Build” tab, go to the Security menu

  1. Click  Secure Communications to expand the bundle.
  2. Click on the toggle to enable Trusted Session.
  3. (optional) Fill out the custom message that is displayed in case of a security event.
  4. MiTM Prevention will be automatically enabled on your app
  5. Malicious Proxy Detection will be automatically enabled on your app
  6. Prohibit Stale Sessions option will be automatically enabled on your app
  7. Trust World Wide Public CAs option will be automatically enabled on your app
  8. Enable +DEV Events to configure this security alert on your app.
    Adding MiTM Protection to a Mobile App on Appdome
  9. (optional) Enable SecureAPITM  to implement Secure Certificate Pinning, which will verify your private server certificates
  10. Enable +DEV Events to configure this security alert on your app.Enable SecureAPI on Appdome
  11. Expand the sub-bundle Session Control.
    1. (optional) Click on the toggle to Enforce Cipher Suites to limit the encryption ciphers that should be allowed for communication.
    2. (optional) Click on the toggle to Enforce TLS Version to limit allowed connections to newer more secure communication methods.
    3. (optional) Click on the toggle to Enforce Certificate Roles to verify ‘basicConstraints’ extension in the certificate chain of connections.
    4. (optional) Click on the toggle to Enforce Strong RSA Signature to enforces leaf and intermediary certificates received from the server to be signed with a Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits.
    5. (optional) Click on the toggle to Enforce Strong ECC Signature to enforces leaf and intermediary certificates received from the server to be signed with an Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits.
    6. (optional) Click on the toggle to Enforce SHA256 Digest to enforce server certificate signatures to use at least a SHA256 certificate hashing algorithm.
    7. (optional) Use IP Address Visibility to ensure that all IP addresses that the application uses to make connections are the real IP addresses of the destination (as explained above).
    8. (optional) Use Permit DNS over TCP to allow DNS connections requests over TCP (rather than UDP) to pass undisrupted.
    9. (optional) Click on the toggle to enable Static CA Pinning.
    10. Enable +DEV Events to configure each of the security alerts above on your app.MiTM attack prevention using Appdome Trusted Session's Session Control
  12. (optional) Click on the toggle to add URL whitelist to your app
  13. (optional) Click on the toggle to enable DEV-Events on your app
    add URL Whitelisting on Appdome
  14. Click Build My App

The technology behind Build My App has two major elements – (1) a microservices architecture filled with 1000s of code sets needed for mobile integrations, and (2) an adaptive code generation engine that can recognize the development environment, frameworks and methods in each app and match the application to the relevant code-sets needed to add the requested service to the mobile application in seconds.

Congratulations! When your integration is complete, you will see the notice below. You now have a mobile app fully integrated with Trusted Session for MiTM attack prevention.
Appdome Fusion Success Notification for MiTM attack prevention

What to do After I Build My App?

After you’re finished building your app, there are a few additional steps needed to complete your mobile integration project.

How Do I Learn More?

To zoom out on this topic, visit Appdome for Mobile App Security on our website or request a demo at any time.

If you have any questions, please send them our way at support@appdome.com  or via the chat window on the Appdome platform.

Other helpful third party articles: 

Certificate Pinning and Public Key Pinning Control – OWASP

MiTM Attacks – OWASP

Certificate Validation

Thank you!

Thanks for visiting Appdome! Our mission is to make mobile integration easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.

 

Dany Zatuchna

Have a question?

Ask an expert

GilMaking your security project a success!