How to Defend Against MiTM (Man-in-the-Middle) Attacks in Mobile SDKs

Learn how to safeguard your mobile SDKs from Man-in-the-Middle (MitM) attacks, employing Appdome’s advanced security measures in a data-driven DevSecOps™ build system tailored for mobile SDK environments.

What are MiTM Attacks?

A Man-in-the-Middle (MitM) attack targets communication between two parties, typically a mobile app and its server, or between two users of an app. In the context of mobile SDKs, these attacks can be even more detrimental as they can affect multiple apps that incorporate the compromised SDK. Attackers intercept, eavesdrop, and can alter or inject malicious content into the data stream. Common techniques include:

• Interception via Malicious Proxies: Unauthorized interception of data sent to and from the SDK.
• Monitoring: Observing data exchanges to capture sensitive information like keys or operational data.
• Modification: Altering transmitted data, potentially injecting harmful code.
• Impersonation: Posing as a legitimate participant in the data exchange to extract data or inject malicious payloads.

Why is MiTM Defense Crucial for Mobile SDKs?

SDKs form the backbone of numerous mobile applications. A single vulnerability can lead to widespread security breaches across all apps utilizing the compromised SDK. Implementing MiTM defense mechanisms in SDKs not only secures the SDK but also enhances the security of all dependent applications.

Appdome’s SDK MiTM Defense ensures that connections initiated by the mobile SDK are secure and immune to interception and manipulation. This feature is vital for preserving the integrity and confidentiality of the data handled by the SDK and for maintaining the trust of the developers and end-users relying on mobile applications.

Implementing SDK MiTM Defense on Appdome

Appdome offers a robust solution to shield your mobile SDKs from MitM attacks. Key components of this feature include:

• Secure Certificate Pinning: Securely stores the certificate(s) of known trusted servers in the SDK and validates the authenticity of the certificate before the connection is established.
  • Chain Evaluation: Ensures the entire certificate chain is trusted and matches the predefined chain.
  • Public Key Evaluation: Validates that the public key in the server’s certificate matches the pre-loaded key in the SDK.
• Root CA Certificate Upload: Developers can upload a trusted root CA certificate to Appdome, which the SDK will use to verify any server certificates during TLS handshakes.

Prerequisites for Using SDK MiTM Defense with Appdome SDKProtect™

Before starting the process of securing your SDK with Appdome, ensure you have the following:

• Appdome account (create a free Appdome account here)
• A license for SDK MiTM Defense
• A valid .aar file or xcframework.zip file- Confirm your SDK is in one of these formats, which are standard for Android and iOS development.

Steps to Enable SDK MiTM Defense via Appdome Console

Note: This example uses a .aar SDK file. You can also apply the SDK MiTM Defense feature to iOS SDKs using the xcframework.zip format.

On Appdome, follow these simple steps to secure Android SDKs:

1. Upload the Mobile SDK to Appdome.
   • Upload Method: Appdome Console or DEV-API
   • Android Formats: .aar
   • iOS Formats: xcframework.zip file
2. Create and name the Fusion Set (security template) that will contain the SDK MiTM Defense feature as shown below:
   
3. When you enable SDK Threat-Shielding, the Fusion Set you created now bears the icon of the protection category that contains Encrypt SDK Preferences.
   
4. To copy the Fusion Set ID, open the Fusion Set Detail Summary by clicking the “…” symbol at the far right corner of the Fusion Set.
   
5. Toggle on the SDK MiTM Defense feature.
   • Where: Inside the Appdome Console, go to Build SDKProtect™ > SDK Threat-Shielding section.
   • How: Toggle on the SDK Threat-Shielding feature.
   • Toggle on SDK MiTM Defense
6. Specify one or more hostnames using standard wildcards to define the SDK domain you would like to protect.
7. Select a Pinning Scheme, either Chain Evaluation or Public Key Evaluation
8. Upload Root CA Public Certificate or a certificate chain or a Server Pinned certificate as a file or a zip (.cer, .crt, .pem, .der, .zip).
   
9. Click Build My SDK

Building SDK MiTM Defense using Appdome’s DEV-API:

1. Upload the Mobile SDK to Appdome.
   • Upload Method: DEV-API
2. Android Formats: .aar
3. iOS Formats: xcframework.zip file
4. Create and name the Fusion Set (security template) that will contain the SDK MiTM Defense feature.
5. Follow the instructions below to use the Fusion Set ID inside any standard mobile DevOps or CI/CD toolkit like Bitrise, App Center, Jenkins, Travis, Team City, Circle CI, or other systems:
   • Look for sample APIs in Appdome’s GitHub Repository
   • Build an API for the SDK – for instructions, see the tasks under Appdome API Reference Guide

Downloading Your Secured SDK

1. Go to the ‘Download’ tab on the Appdome platform
2. Find your recent build and click on ‘Download My Built SDK’.
   This downloaded SDK is now enhanced with robust security features and is ready for integration into your client apps.
   

Certified Secure 

This certificate verifies that Appdome has secured your SDK (com.android.sdk.id) with specific security features, as identified in the certification details. Issued to your secured SDK, this certificate details the implementation of Appdome’s SDK Threat Shielding and SDK Threat Intelligence features that you have chosen to build into your SDK.

Related Articles:

• API for Building an App/SDK
• How to Use Appdome SDKProtect to Secure Mobile SDKs
• Get Your SDK on Appdome

How Do I Learn More?

If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.