How to Defend Against MiTM (Man-in-the-Middle) Attacks in Mobile SDKs

Last updated September 26, 2024 by Appdome

Learn how to safeguard your mobile SDKs from Man-in-the-Middle (MitM) attacks, employing Appdome’s advanced security measures in a data-driven DevSecOps™ build system tailored for mobile SDK environments.

What are MiTM Attacks?

A Man-in-the-Middle (MitM) attack targets communication between two parties, typically a mobile app and its server, or between two users of an app. In the context of mobile SDKs, these attacks can be even more detrimental as they can affect multiple apps that incorporate the compromised SDK. Attackers intercept, eavesdrop, and can alter or inject malicious content into the data stream. Common techniques include:

  • Interception via Malicious Proxies: Unauthorized interception of data sent to and from the SDK.
  • Monitoring: Observing data exchanges to capture sensitive information like keys or operational data.
  • Modification: Altering transmitted data, potentially injecting harmful code.
  • Impersonation: Posing as a legitimate participant in the data exchange to extract data or inject malicious payloads.

Why is MiTM Defense Crucial for Mobile SDKs?

SDKs form the backbone of numerous mobile applications. A single vulnerability can lead to widespread security breaches across all apps utilizing the compromised SDK. Implementing MiTM defense mechanisms in SDKs not only secures the SDK but also enhances the security of all dependent applications.

Appdome’s SDK MiTM Defense ensures that connections initiated by the mobile SDK are secure and immune to interception and manipulation. This feature is vital for preserving the integrity and confidentiality of the data handled by the SDK and for maintaining the trust of the developers and end-users relying on mobile applications.

Implementing SDK MiTM Defense on Appdome

Appdome offers a robust solution to shield your mobile SDKs from MitM attacks. Key components of this feature include:

  • Secure Certificate Pinning: Securely stores the certificate(s) of known trusted servers in the SDK and validates the authenticity of the certificate before the connection is established.
    • Chain Evaluation: Ensures the entire certificate chain is trusted and matches the predefined chain.
    • Public Key Evaluation: Validates that the public key in the server’s certificate matches the pre-loaded key in the SDK.
  • Validate Certificate Chain – Validates the authenticity of the SSL certificate used by the destination server.
  • iOS Only – Block Non-SSL Connections – Detects non-SSL/TLS connections as they are untrusted.
  • iOS Only – Block Connection on Any Threat – Block network connection for specified domains on any threat detection.
  • Root CA Certificate Upload: Developers can upload a trusted root CA certificate to Appdome, which the SDK will use to verify any server certificates during TLS handshakes.

Prerequisites for Using SDK MiTM Defense with Appdome SDKProtect™

Before starting the process of securing your SDK with Appdome, ensure you have the following:

  • Appdome account (create a free Appdome account here)
  • A license for SDK MiTM Defense
  • A valid .aar file or xcframework.zip file- Confirm your SDK is in one of these formats, which are standard for Android and iOS development.

Steps to Enable SDK MiTM Defense via Appdome Console

Note: This example uses a .aar SDK file. You can also apply the SDK MiTM Defense feature to iOS SDKs using the xcframework.zip format.

On Appdome, follow these simple steps to secure Android SDKs:

  1. Upload the Mobile SDK to Appdome.
    • Upload Method: Appdome Console or DEV-API
    • Android Formats: .aar
    • iOS Formats: xcframework.zip file
  2. Create and name the Fusion Set (security template) that will contain the SDK MiTM Defense feature as shown below:
    Fusion Set Sdk Mitm Defense
  3. When you enable SDK Threat-Shielding, the Fusion Set you created now bears the icon of the protection category that contains Encrypt SDK Preferences.
    Saved Fusion Set Sdk Mitm Defense
  4. To copy the Fusion Set ID, open the Fusion Set Detail Summary by clicking the “…” symbol at the far right corner of the Fusion Set.
    Copy Fs Id
  5. Toggle on the SDK MiTM Defense feature.
    • Where: Inside the Appdome Console, go to Build SDKProtect™SDK Threat-Shielding section.
    • How: Toggle on the SDK Threat-Shielding feature.
    • Toggle on SDK MiTM Defense
  6. Specify one or more hostnames using standard wildcards to define the SDK domain you would like to protect.
  7. Select a Pinning Scheme, either Chain Evaluation or Public Key Evaluation
  8. Upload Root CA Public Certificate or a certificate chain or a Server Pinned certificate as a file or a zip (.cer, .crt, .pem, .der, .zip).
     

    ANDROID 
    Android Sdk Mitm DefenseiOS
    Ios Sdk Mitm Defense

  9. Turn on Threat Events for SDK MiTM Defense

    • Threat-Events™ ON > In-App Detection
      When this setting is used, Appdome detects if the application is capable of modifying its binary at runtime to avoid detection and passes Appdome’s Threat-Event™ attack intelligence to the app’s business logic for processing, enforcement, and user notification. For more information on consuming and using Appdome Threat-Events™ in the app, see the section Using Threat-Events™ for SDK MiTM Defense in Mobile Apps.

    • Threat-Events™ ON > Enforce Connection Only
      When Appdome detects a security event, it passes the event from the Appdome layer to the app and blocks the connection that triggered the event. By design, when the mobile application registers to receive Appdome Threat Events, Appdome will send an initial event. If Appdome detects a security event during the app launch/run, the initial event will hold the triggered security event details. If no security event is triggered, the initial event will only indicate a successful registration to Appdome Threat-Events (the event fields will hold no data).

  10. For more details on how to implement Threat events for Android and iOS SDKs, see:
    How to use SDK Input Threat Events for iOS XCFrameworksHow to Implement Threat Event Handling in Android SDKs
  11. Click Build My SDK

Building SDK MiTM Defense using Appdome’s DEV-API:

  1. Upload the Mobile SDK to Appdome.
    • Upload Method: DEV-API
  2. Android Formats: .aar
  3. iOS Formats: xcframework.zip file
  4. Create and name the Fusion Set (security template) that will contain the SDK MiTM Defense feature.
  5. Follow the instructions below to use the Fusion Set ID inside any standard mobile DevOps or CI/CD toolkit like Bitrise, App Center, Jenkins, Travis, Team City, Circle CI, or other systems:

Downloading Your Secured SDK

  1. Go to the ‘Download’ tab on the Appdome platform
  2. Find your recent build and click on ‘Download My Built SDK’.
    This downloaded SDK is now enhanced with robust security features and is ready for integration into your client apps.
    Download My Built Sdk

Certified Secure 

This certificate verifies that Appdome has secured your SDK (com.android.sdk.id) with specific security features, as identified in the certification details. Issued to your secured SDK, this certificate details the implementation of Appdome’s SDK Threat Shielding and SDK Threat Intelligence features that you have chosen to build into your SDK.

Appdome.aarnativelib Certificate Sdk Mitm Defense

Related Articles:

How Do I Learn More?

If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.

Appdome

Want a Demo?

SDK Security Integration

TomWe're here to help
We'll get back to you in 24 hours to schedule your demo.