Use AppFusion to include Private Certificate Authority (CA) certificates within mobile apps to validate and enable secure connections between the mobile app and private/internal servers.
Why is this important?
Security conscious organizations use SSL so their apps can validate the authenticity of servers and use encryption to secure the communication. IT administrators can create and sign an SSL certificate using their private CA to control which mobile apps can validate the authenticity of private servers and access them using SSL
What is needed for SSL to work?
To get started with SSL, administrators submit their certificate signing requests (CSR) containing their contact, company, and server information, to a CA. The CA validates this information and generates SSL certificates signed by the CA’s private cert that are loaded onto the servers. Now any app that has the CA’s public cert can validate the server and establish an encrypted connection between the app and the server. By the way, in case you didn’t know this, SSL is also used when you make HTTPS connections from your web browser.
IT administrators have a choice to use public or private CAs. The advantage using a public CA is that trusted root authority public CA certs come pre-installed on iOS, Android, and web browsers. Thus, any client can open an SSL connection to any server with a cert from a trusted public CA. The disadvantage is that any client can open an SSL connection to the server. ;) The advantage of using a private CA is that IT administrators have control over who is provided their CA’s public cert. Only trusted members of their organization will be able to validate and open SSL connections to their private servers.
Challenges of Private CAs with Mobile Apps
The biggest challenges of using Private CAs are to distribute the private CA public cert to mobile apps and inform the mobiles apps where to locate the cert to use SSL. If the mobile app does not have the private CA public certificate loaded, or does not know where to find it, any attempt made by the mobile app to open a secure connection to a private server will fail with an error like the one shown here.
Figure 1: Example of an SSL error on a mobile device
Why is this? It’s because the mobile operating system cannot validate the authenticity of the private CA that signed the SSL certificate on the server.
How does Appdome save the day?
Appdome makes it easy and possible for mobile apps to open secure connections to private servers. Organizations use Appdome to integrate advanced security to their apps and integrate with Enterprise Mobility Management (EMM) SDKs. Once an EMM SDK is Fused to an app, the app has access to the EMM feature set which may include secure VPN access to internal networks and private servers. With the infrastructure in place for apps to access a private server, the app still needs to validate the SSL connection to the server. The Appdome “Private Server Certificates and Authorities” adapter makes this possible! Administrators can add their Private CA certificates to apps during Fusion which then will be used to validate private servers.
The first task you will need to do is obtain the Public certificate of the Private CA and the SSL certificate that is loaded on the destination server in DER format. These are typically .cer or .crt files (not .pem which are in BASE 64 format.)
Add these to a zip file and give it a name of your choice like Private-Certs-DER.zip and note the location. This zip file will be uploaded to Appdome in following steps.
The private server certificates and authorities adapter requires a currently supported release for iOS, and Android 7 at a minimum.
To enable the Private Server Certificates and Authorities adapter:
- Go to Fuse > Management and enable 3rd Party SDK.
Select the BlackBerry Dynamics SDK and the BlackBerry Provider Plan.
Optionally modify the GD App ID and GD App Version.
- Expand Advanced Settings
- Upload the private certs zip file created during preparation.
Note: The zip file can contain multiple CA and SSL server certs.
- Fuse the App, Sign, then Download
Note: The certificates do not need to be added as Trusted Authorities on the EMM because Appdome is including the certificates in the app during Fusion.
Figure 2: Example showing where to upload the Private CA in the Advanced Settings when enabling the BlackBerry SDK
After fusing, the app can validate the private server using the private CA certificate.
This lets the app validate and open secure connections to private servers. Wow, that is awesome!