How to Use Trusted Domains with Android/iOS MiTM Prevention
This Knowledge Base article explains how to add a list of trusted domains to your mobile app using Appdome’s MiTM Prevention feature.
What are Trusted Domains?
Trusted domains refer to a list of internet domains that an app has been specifically configured to recognize as legitimate and safe for communication. This list is used to safeguard apps against Man-in-the-Middle (MiTM) attacks, where an attacker intercepts and possibly alters the communication between the app and its intended server. By defining trusted domains, the app can ensure that its network communications are only made with known, reliable servers.
Why Implement Trusted Domains?
- Enhanced Security: Using trusted domains minimizes the risk of MiTM attacks by restricting network communications to pre-defined, secured domains. This prevents attackers from tricking the app into sending sensitive data to a malicious server.
- Data Integrity: By ensuring that all communications are directed only towards trusted servers, the integrity of the data exchanged between the app and the server is maintained, preventing data tampering.
- Compliance and Reliability: For organizations with regulatory requirements to protect user data, trusted domains help meet compliance standards by securing communication channels. Additionally, trusted domains enhance overall reliability by reducing potential risks in-app interactions.
Prerequisites for Adding Trusted Domains to Android MiTM Prevention on Appdome
To use Appdome’s Trusted Domains feature, ensure that you have the following:
- Appdome account (create a free Appdome account here)
- A license for Android MiTM Prevention
- Mobile App (.apk or .aab for Android)
- Signing Credentials (see Signing Secure Android apps and Signing Secure iOS apps)
How to Implement Trusted Domains in Android Apps Using Appdome.
Note: This example uses an Android app. You can also apply the MiTM Prevention feature to iOS apps using the .ipa format.
- Designate the mobile app to be protected.
1.1 Upload a mobile app via the Appdome Mobile Defense platform GUI or via Appdome’s DEV-API or CI/CD Plugins.
1.2 Android Formats: .apk or .aab / iOS Formats: .ipa
1.3 Android MiTM Prevention is compatible with Java, JS, C++, C#, Kotlin, Flutter, React Native, Unity, Xamarin, Cordova, and other {Android/iOS} apps. - Select the defense: Android MiTM Prevention
2.1. Create and name the Fusion Set (security template) that will contain the Android MiTM Prevention feature as shown below:
Figure 1: Fusion Set that will contain the Prevent Logging Attacks feature
Note: Naming the Fusion Set to correspond to the protection(s) selected is for illustration purposes only (not required).
2.1.1 When you select Android MiTM Prevention, you’ll notice that the Fusion Set you created in step 2.1.1 now bears the icon of the protection category that contains Android MiTM Prevention.
Figure 2: Fusion Set that displays the newly added {Feature Name} protection.
Note: Annotating the Fusion Set to identify the protection(s) selected is optional only (not mandatory).2.1.2 Open the Fusion Set Detail Summary by clicking the “…” symbol on the far-right corner of the Fusion Set. Copy the Fusion Set ID from the Fusion Set Detail Summary (as shown below):
2.1.3 Follow the instructions below to use the Fusion Set ID inside any standard mobile DevOps or CI/CD toolkit like Bitrise, Jenkins, Travis, Team City, Circle CI, or other systems:
2.1.3.1 Refer to the Appdome API Reference Guide for API building instructions.
2.1.3.2 Check Appdome’s GitHub Repository for sample APIs.2.2 Add the Android MiTM Prevention to the security template
2.2.1 Navigate to Build > Security tab > Secure Communication section in the Appdome Console.
2.2.2 Toggle On Android MiTM Prevention
2.2.3 Click + Add Trusted Domain and provide a list of trusted domains using standard wildcard patterns for MiTM Prevention.
Figure 3: Selecting Android MiTM Prevention and adding a list of trusted domains
Note: The Appdome platform displays the Mobile Operating System supported by each defense in real-time. For more details, see our OS Support Policy KB.
3. Initiate the build command either by clicking Build My App or via your CI/CD.
Certify the Android MiTM Prevention feature in Android Apps.
After building Android MiTM Prevention, Appdome generates a Certified Secure™ certificate to guarantee that the Android MiTM Prevention with the list of trusted domains has been added and is protecting the app. To verify that the Android MiTM Prevention protection has been added to the mobile app, locate the protection in the Certified Secure™ certificate as shown below:
Related Articles:
How to Prevent Session Hijacking Attacks, Prevent MiTM Attacks in Android & iOS Apps
How Do I Learn More?
If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.
Thank you!
Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.
