MitM Attack Protection using Appdome Trusted Session
MitM attacks, also known as Man-in-the-Middle attacks, occur when an attacker intercepts, relays, or alters the communication between two parties who believe they are directly communicating with each other. MitM attacks are an easy way for hackers to steal or harvest data while it’s ‘in transit’ from the app to the server. Mobile users often use mobile apps to send confidential information and/or secrets to others using the same app. Using MitM attacks (and other forms of network or session hijacking techniques) a malicious attacker can gain access to mobile data in transit (such as usernames, passwords, secrets, etc).
This Knowledge Base article explains how to use Appdome to implement a layered, multi-pronged defense against MitM and other types of attacks that target mobile data in transit. Appdome’s Trusted Session protects data while it travels.
Prevent MiTM Attacks and other forms of Session Hijacking without changing your code
Appdome is a mobile integration platform as a service (iPaaS) that enables anybody to add a wide variety of features, SDKs, and APIs to Android and iOS applications. Using a simple ‘click to add’ user interface, Appdome enables anyone to easily implement Trusted Session in any iOS or Android app – instantly, no code or coding required.
Using Appdome, there are no development or coding prerequisites. For example, there is no Appdome SDK, libraries, or plug-ins to implement Trusted Session to enable MitM attack protection. Trusted Session can be added to any iOS or Android app in seconds, with no code or coding.
Overview of Appdome’s Trusted Session
You can implement Appdome Trusted Session for comprehensive MiTM attack prevention. Appdome also protects any app from malicious proxies, modified or untrusted Certificates, and Stale Session renewal. Trusted Session feature can be found in the Appdome Mobile Security Suite and under the category – Secure Communication.
Trusted Session is a proprietary mechanism that Appdome first introduces during the initial SSL handshake, to prevent attackers from gaining control over the session before the TLS handshake completes. When the application starts the SSL Handshake with the server, Appdome’s Trusted Session technology inspects the traffic for anything that looks suspicious. When triggered, the Trusted Session will automatically notify the user of the compromise and drop the connection. The message displayed to the user can be customized.
MiTM Attack Prevention
If the attacker has control over the user’s network, they could try to impersonate the server-side and replace the server certificate with one of their own. In this case, Trusted Session will identify and block the malicious certificate during the SSL Handshake. You can read more about MitM attacks here.
Trusted Certificate Authority (CA) Pinning
If your application connects to a local enterprise server that uses your company-specific CA certificate – the one which usually needs to be installed on the device to authorize the SSL connection – you can upload the certificate to the Trusted CA Pinning under the Secure Communication feature. This will add your certificate to the list of known and trusted certificates. When the Trusted Session inspects the connection, it validates that your legitimate certificate is being used. You can read more about CA certificates and pin here. Please note, Appdome Trusted Session pins the CA and not the peer server certificate. When Trusted Session is enabled, the Fused app validates sessions using trusted root certificates and private certificates that are included during Fusion.
Trust World Wide Public CAs
Mobile devices come with an OEM list of trusted CA(s) built-in, but CA(s) can be installed on the device in malicious ways, resulting in the user being vulnerable to MitM and Phishing attacks. That’s why Appdome keeps the most up to date public list of trusted CA(s) when the application creates a trusted session with an SSL server, the connection is checked with an updated and secure list that comes with Appdome. This means that if a certificate was installed on the device but not uploaded to the app via Trusted Certificate Authority (CA) Pinning feature, the CA(s) will not be trusted and the connection will close.
The list is constantly updated with the various worldwide trusted CA authorities (such as Verisign or Go-Daddy).
Trust Listed CAs Only
In case you keep your own list of trusted CA(s) and want the application to validate its SSL certificates only against the specific CA(s) that you uploaded, you can enable the “Trust Listed CAs Only” feature.
Enabling this will remove the Trust World Wide Public CAs feature, meaning Appdome will no longer validate CA(s) with the ones it takes from the latest Ubuntu package, and will only validate Certificates according to the CA(s) uploaded via rusted Certificate Authority (CA) Pinning feature.
App Compromise Notification
Malicious Proxy Detection
If the mobile device is configured with a proxy server that was configured to send a malicious connection back to the device, Appdome’s technology detects the untrusted certificate and terminates the connection.
Enforce Cipher Suites, TLV versions, and Certificate Roles
IP Address Visibility
When an application establishes a connection, some fused components might alter the IPs that the application sees, by fusing your application with IP Address Visibility you ensure that the IP addresses Appdome reports to your application are real IP addresses of the destinations. This is important when you are auditing the IP addresses your application uses.
This allows the built app to access a specified list of hosts and destinations that you’ve listed as trusted.
This specifies a secret that will be included in every URL connection request completed by the app. This defined secret can also be verified by a backend in identifying valid apps.
- Secret Text – This is the unique text you’ve defined for your app to use as a secret text.
- Signature Header – Optionally an app builder can specify a name for the signature header.
Prerequisites for using Trusted Session
- Appdome account – IDEAL or higher.
- Appdome-DEV access
- Mobile application (.ipa for iOS, or .apk or .aab for Android)
- Signing credentials (e.g., signing certificates and provisioning profile)
- Private CAs
How to Add Trusted Session to Any Mobile App using Appdome
Follow these step-by-step instructions to protect mobile applications from Man-in-the-Middle and session hijacking attacks:
Upload a Mobile Application to Your Account
From the “Build” tab, go to the Security menu
- Click Secure Communications to expend the bundle.
- Click on the toggle to enable Trusted Session.
- (optional) Fill out the custom message that is displayed in case of a security event.
- MiTM Prevention will be automatically enabled on your app
- Malicious Proxy Detection will be automatically enabled on your app
- Prohibit Stale Sessions option will be automatically enabled on your app
- Trust World Wide Public CAs option will be automatically enabled on your app
- (optional) Enable FIPS 140-2 Cryptographic Modules.
- (optional) Enable SecureAPITM to add the SecureAPITM Scheme which will verify your private server certificates
- Expand the sub-bundle Session Control.
- (optional) Click on the toggle to Enforce Cipher Suites to limit the encryption ciphers that should be allowed for communication.
- (optional) Click on the toggle to Enforce TLS Version to limit allowed connections to newer more secure communication methods.
- (optional) Click on the toggle to Enforce Certificate Roles to verify ‘basicConstraints’ extension in the certificate chain of connections.
- (optional) Click on the toggle to Enforce Strong RSA Signature to enforces leaf and intermediary certificates received from the server to be signed with a Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits.
- (optional) Click on the toggle to Enforce Strong ECC Signature to enforces leaf and intermediary certificates received from the server to be signed with an Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits.
- (optional) Click on the toggle to Enforce SHA256 Digest to enforce server certificate signatures to use at least a SHA256 certificate hashing algorithm.
- (optional) Use IP Address Visibility to ensure that all IP addresses that the application uses to make connections are the real IP addresses of the destination (as explained above).
- (optional) Use Permit DNS over TCP to allow DNS connections requests over TCP (rather than UDP) to pass undisrupted.
- (optional) Click on the toggle to enable Static CA Pinning.
- (optional) Click on the toggle to add URL whitelist to your app
- (optional) Click on the toggle to enable DEV-Events on your app
- Click Build My App
The technology behind Build My App has two major elements – (1) a micro-service architecture filled with 1000s of code sets needed for mobile integrations, and (2) an adaptive code generation engine that can recognize the development environment, frameworks and methods in each app and match the application to the relevant code-sets needed to add the requested service to the mobile application in seconds.
Congratulations! When your integration is complete, you will see the notice below. You now have a mobile app fully integrated with Trusted Session.
What to do After I Build My App?
After you have added Secure Communication to any mobile application on Appdome, there are a few additional steps needed to complete your mobile integration project.
Please view the article here on How to Complete My Mobile Integration Project After I Build My App.
That is it – Your applications now have the most comprehensive MitM attack protection.
How Do I Learn More?
If you have any questions, please send them our way at firstname.lastname@example.org or via the chat window on the Appdome platform.