The Approov approach combines dynamic pinning with runtime app and device integrity checks. MitM tools running on the device are identified and blocked. In addition, pins and certificates, as well as API secrets (keys, tokens) are only delivered to untampered apps on uncompromised devices thus eliminating the threat of on-device MitM attacks.
Approov does this in two ways:
- Managed trust roots - the Approov SDK will check the certificate chains for all connections to APIs registered with Approov. The check ensures that the public key pin of the root certificate of the chain is among the set of roots registered with Approov. This set is not derived from the certificate trust store on the device (which attackers can manipulate). Instead it is managed by Approov and delivers a new set whenever there is an update.
- Dynamic pinning - the Approov SDK will ensure that certificate chains include a certificate pin that has been registered with Approov for the specific target API of a connection. Instead of including the pins in the app package (and therefore limiting the lifetime of the app package on user devices), pins are stored in the Approov cloud and can be updated at any time. The Approov SDK checks that it has the latest set of pins every time it performs an attestation (every 5 mins while the app is active). This allows for zero downtime pin updates.
Approov's Dynamic Certificate Pinning and Managed Trust Roots are advanced security features designed to create a robust defense against Man-in-the-Middle (MitM) attacks on mobile applications. They address critical vulnerabilities that traditional TLS/SSL alone cannot fully mitigate.
Approov Dynamic Certificate Pinning
What it is:
Certificate pinning is a security mechanism where a mobile app is pre-configured to only trust specific, predefined digital certificates or their public keys from a server. If the server presents a certificate that does not match these "pinned" values, the connection is immediately rejected. "Dynamic" means these pins can be updated over-the-air, without requiring a new app release.
How it defends against Man-in-the-Middle (MitM) Attacks:
MitM attacks typically involve an attacker intercepting the communication between the app and the server. To do this, the attacker spoofs the server's identity by presenting a fake SSL/TLS certificate. This fake certificate might be:
- Self-signed: Created by the attacker.
- Issued by a compromised or rogue Certificate Authority (CA): If an attacker controls a CA, they can issue seemingly legitimate certificates for any domain.
- Installed on a compromised device: On rooted or jailbroken devices, attackers can install their own root certificates into the device's trust store, causing the device to implicitly trust any certificate signed by that rogue root.
Dynamic Pinning defends against these scenarios by:
- Enforcing a Strict Trust Policy: Unlike standard TLS, which relies on the device's broad trust in many CAs, dynamic pinning tells the app to only trust the exact certificate(s) or public key(s) it expects from your specific backend. Even if a rogue CA issues a "valid" certificate for your domain, or if a malicious root certificate is installed on the device, the app will still reject the connection because the certificate chain presented by the attacker's server will not match the specific pinned values.
- Rejecting Unknown Identities: If an attacker inserts themselves into the middle and tries to present their own certificate, the app's dynamic pinning mechanism will detect that this certificate does not match the securely "pinned" certificate(s) for your legitimate server. The connection is then immediately terminated, preventing any data interception or manipulation.
- Preventing Pinning Bypass: Approov's SDK also detects attempts to bypass pinning using runtime manipulation tools (like Frida). If such tampering is detected, Approov will deny the app an attestation token, and without this valid token, the backend APIs will refuse to communicate, effectively stopping the MitM attack.
- Maintaining Operational Agility: The "dynamic" aspect is crucial because server certificates regularly expire or need to be rotated. Without dynamic pinning, a certificate change would necessitate an immediate app update (and user adoption) to avoid breaking connections. Dynamic pinning ensures that security is maintained without operational disruption, reducing the window of vulnerability.
Approov Managed Trust Roots
What it is:
Traditional TLS relies on a device's default trust store, which contains pre-installed root certificates from numerous CAs. If an attacker can inject a malicious root certificate into this device trust store (a common technique on rooted/jailbroken devices), they can effectively issue fake certificates for any website, which the device will then trust. Approov's managed trust roots allow for a secondary, securely enforced set of trusted roots.
How it defends against Man-in-the-Middle (MitM) Attacks:
- Bypassing Compromised Device Trust Stores: MitM attackers often exploit the fact that they can install their own rogue root certificates on a compromised mobile device. Once installed, the device's operating system will trust any certificate issued by this rogue root, allowing the attacker to intercept and decrypt supposedly secure traffic.
- Enforcing a Higher Standard of Trust: Approov's managed trust roots feature provides an independent, app-controlled trust store. Even if a malicious root certificate is present in the device's native trust store, the app will only establish a connection if the server's certificate chain validates against both the device's trust store and the Approov-managed trust roots. This means the app will not trust a connection based solely on a potentially compromised device trust store.
- Centralized and Dynamic Management: Similar to dynamic pinning, these managed trust roots can be centrally controlled and updated by the organization via the Approov cloud. This allows for quick adaptation to changes in trust policy or if a legitimate CA needs to be added/removed, without requiring app updates.
- Combined Strength: When used in conjunction with dynamic pinning, managed trust roots provide a multi-layered defense. Dynamic pinning verifies the leaf certificate or public key, ensuring the specific server identity. Managed trust roots ensure the entire certificate chain up to a trusted root is valid, based on a set of roots that is not easily compromised or tampered with on the client device. This dual verification makes it exceedingly difficult for an attacker to successfully impersonate a backend server.
Conclusion
In summary, both Approov Dynamic Pinning and Managed Trust Roots directly counter MitM attacks by preventing mobile applications from establishing secure connections with untrusted or compromised servers, even if the device itself has been manipulated or a Certificate Authority has been compromised. They achieve this by enforcing a stricter, app-controlled, and dynamically updated trust policy for server certificates.