MitM Attack Protection using Appdome Trusted Session Inspection

MitM attacks, also known as Man-in-the-Middle attacks, occur when an attacker intercepts, relays or alters the communication between two parties who believe they are directly communicating with each other. MitM attacks are an easy way for hackers to steal or harvest data while it’s ‘in transit’ from the app to the server. Mobile users often use mobile applications to send confidential information and/or secrets to others using the same app. Using MitM attacks (and other forms of network or session hijacking techniques) a malicious attacker can gain access to mobile data in transit (such as usernames, passwords, secrets, etc).

This Knowledge Base article explains how to use Appdome to implement a layered, multi-pronged defense against MitM and other types of attacks against data while it travels. With Appdome’s Trusted Session, all mobile data ‘in transit’ is protected.

MitM Attack Protection and Session Hijacking Attack Protection Quickly and Easily 

Appdome is a mobile integration platform as a service (iPaaS) that enables anybody to add a wide variety of features, SDKs, and APIs to Android and iOS applications. Using a simple ‘click to add’ user interface, Appdome allows anyone to easily implement Trusted Session to any mobile application- instantly, no code or coding required.

Using Appdome, there are no development or coding prerequisites. For example, there is no Appdome SDK, libraries, or plug-ins to implement Trusted Session to enable MitM attack protection.  Trusted Session can be added to any iOS or Android app in seconds, with no code or coding.

Overview of Appdome’s Trusted Session

You can implement Appdome Trusted Session to protect any app against malicious proxies, MitM attacks, modified or untrusted Certificates, and Stale Sessions.  Trusted Session can be found in the Appdome Mobile Security Suite and under the category – Secure Communication.

Trusted Session is a proprietary mechanism that Appdome uses while the SSL connection is running. When the application starts the SSL Handshake with the server, Appdome’s Trusted Session technology inspects the traffic for anything that looks suspicious. When triggered, the Trusted Session will automatically notify the user of the compromise and drop the connection. The message displayed to the user can be customized.

 Man-in-the-Middle or MitM Attack Protection

In a case that an attacker has control over the user’s network, the attacker could try to impersonate the server-side and replace the server certificate with one of their own. In this case, Trusted Session will identify and block the malicious certificate during the SSL Handshake. You can read more about MitM attacks here.

Trusted Certificate Authority (CA) Pinning

If your application connects to a local enterprise server that uses your company-specific CA certificate – the one which usually needs to be installed on the device to authorize the SSL connection – you can upload the certificate to the Trusted CA Pinning under the Secure Communication feature. This will add your certificate to the list of known and trusted certificates. When the Trusted Session inspects the connection, it validates that your legitimate certificate is being used. You can read more about CA certificates and pin here. Please note, Appdome Trusted Session pins the CA and not the peer server certificate.  When Trusted Session is enabled, the Fused app validates sessions using trusted root certificates and private certificates that are included during Fusion.

Trust World Wide Public CAs

Mobile devices come with an OEM list of trusted CA(s) built-in, but CA(s) can be installed on the device in malicious ways, resulting in the user being vulnerable to MitM and Phishing attacks. That’s why Appdome keeps the most up to date public list of trusted CA(s) when the application creates a trusted session with an SSL server, the connection is checked with an updated and secure list that comes with Appdome. This means that if a certificate was installed on the device but not uploaded to the app via Trusted Certificate Authority (CA) Pinning feature, the CA(s) will not be trusted and the connection will close.

The list is constantly updated with the various worldwide trusted CA authorities (such as Verisign or Go-Daddy).

Trust Listed CAs Only

In case you keep your own list of trusted CA(s) and want the application to validate its SSL certificates only against the specific CA(s) that you uploaded, you can enable the “Trust Listed CAs Only” feature.

Enabling this will remove the Trust World Wide Public CAs feature, meaning Appdome will no longer validate CA(s) with the ones it takes from the latest Ubuntu package, and will only validate Certificates according to the CA(s) uploaded via rusted Certificate Authority (CA) Pinning feature.

App Compromise Notification

An App Compromise Notification is a configurable message displayed to the user whenever Appdome detects the application may be compromised. You can customize these messages to display any text you wish the user to see before the application exits.

Malicious Proxy Detection

If the mobile device is configured with a proxy server that was configured to send a malicious connection back to the device, Appdome’s technology detects the untrusted certificate and terminates the connection.

Enforce Cipher Suites, TLV versions, and Certificate Roles

Appdome allows you to enforce data in transit encryption by limiting the allowed cipher suites to a pre-defined list, enforce the TLS version and enforce Certificate Roles.

IP Address Visibility

When an application establishes a connection, some fused components might alter the IPs that the application sees, by fusing your application with IP Address Visibility you ensure that the IP addresses Appdome reports to your application are real IP addresses of the destinations. This is important when you are auditing the IP addresses your application uses.

DEV-EventsTM

In the case of a security event, with DEV-EventsTM   disabled (i.e., “off”), Trusted Session shows the user the App Compromise Notification and exist the application. When DEV-EventsTM enabled (i.e., “on”), Trusted Session causes the application to send an event to your application with detailed information about the security event that happened. With DEV-EventsTM enabled, the application will not exit. Instead, the developer must design the workflow inside the application to achieve the desired outcome. Read Configuring Appdome Security Alerts for configuration details and more info. The non-authenticated SSL connection will not reach the server and no user data will be revealed, on both options.

URL Whitelisting

This allows the built app to access a specified list of hosts and destinations that you’ve listed as trusted.

Shared Secret

This specifies a secret that will be included in every URL connection request completed by the app. This defined secret can also be verified by a backend in identifying valid apps.

  • Secret Text – This is the unique text you’ve defined for your app to use as a secret text.
  • Signature Header – Optionally an app builder can specify a name for the signature header.

Prerequisites for using Trusted Session

How to Add Trusted Session to Any Mobile Application on Appdome 

Follow these step-by-step instructions to protect mobile applications from Man-in-the-Middle and session hijacking attacks:

Upload a Mobile Application to Your Account

Please follow these steps to add a mobile application to your Appdome account.
If you don’t have an Appdome account, click here to create an account.

From the “Build” tab, go to the Security menu

  1. Click  Secure Communications to expend the bundle.
  2. Click on the toggle to enable Trusted Session.
  3. (optional) Fill out the custom message that is displayed in case of a security event.
  4. MiTM Prevention will be automatically enabled on your app
  5. Malicious Proxy Detection will be automatically enabled on your app
  6. Prohibit Stale Sessions option will be automatically enabled on your app
  7. Trust World Wide Public CAs option will be automatically enabled on your app
  8. (optional) Enable FIPS 140-2 Cryptographic Modules.
  9. (optional) Enable SecureAPITM  to add the SecureAPITM Scheme which will verify your private server certificates
  10. Expand the sub-bundle Session Control.
    1. (optional) Click on the toggle to Enforce Cipher Suites to limit the encryption ciphers that should be allowed for communication.
    2. (optional) Click on the toggle to Enforce TLS Version to limit allowed connections to newer more secure communication methods.
    3. (optional) Click on the toggle to Enforce Certificate Roles to verify ‘basicConstraints’ extension in the certificate chain of connections.
    4. (optional) Click on the toggle to Enforce Strong RSA Signature to enforces leaf and intermediary certificates received from the server to be signed with a Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits.
    5. (optional) Click on the toggle to Enforce Strong ECC Signature to enforces leaf and intermediary certificates received from the server to be signed with an Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits.
    6. (optional) Click on the toggle to Enforce SHA256 Digest to enforce server certificate signatures to use at least a SHA256 certificate hashing algorithm.
    7. (optional) Use IP Address Visibility to ensure that all IP addresses that the application uses to make connections are the real IP addresses of the destination (as explained above).
    8. (optional) Use Permit DNS over TCP to allow DNS connections requests over TCP (rather than UDP) to pass undisrupted.
    9. (optional) Click on the toggle to enable Static CA Pinning.
  11. (optional) Click on the toggle to add URL whitelist to your app
  12. (optional) Click on the toggle to enable DEV-Events on your app
  13. Click Build My App

The technology behind Build My App has two major elements – (1) a micro-service architecture filled with 1000s of code sets needed for mobile integrations, and (2) an adaptive code generation engine that can recognize the development environment, frameworks and methods in each app and match the application to the relevant code-sets needed to add the requested service to the mobile application in seconds.

Congratulations! When your integration is complete, you will see the notice below. You now have a mobile app fully integrated with Trusted Session.

What to do After I Build My App?

After you have added Secure Communication to any mobile application on Appdome, there are a few additional steps needed to complete your mobile integration project.

That is it – Your applications now have the most comprehensive MitM attack protection.

How Do I Learn More?

You might want to check-out additional ways in which you can further secure your application’s communication like enforcing the TLS version, cipher suites, and certificate roles.

To zoom out on this topic, visit Appdome for Mobile App Security on our website or request a demo at any time.

If you have any questions, please send them our way at support@appdome.com or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to make mobile integration easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.

Dany Zatuchna

Have a question?

Ask an expert