Certificate Transparency
| Plan | Platforms | MASVS |
|---|---|---|
| Team | Android | MASVS-NETWORK-1 |
Summary
Certificate Transparency helps ensure that TLS certificates presented to the protected Android app are publicly logged and auditable where certificate transparency validation is enforced. This reduces the risk of accepting mis-issued or fraudulent certificates that do not meet your transparency policy.
Use this control for high-value Android API domains where your organization requires a stronger certificate issuance audit trail.
What It Protects Against
- Fraudulent certificates issued outside expected public logging controls.
- Certificate authority compromise or insider misuse that results in suspicious certificates.
- Network interception attempts that rely on certificates that do not meet your transparency policy.
- Drift between your backend certificate operations and the certificate policy expected by the mobile app.
How It Works
You configure the domains that should require certificate transparency policy enforcement. AppTego applies the policy during protected build creation, and the resulting app enforces the expected TLS certificate posture for those domains at runtime.
For stronger transport protection, use Certificate Transparency with Certificate Pinning, TLS 1.3 Only, and Proxy Usage Detection.
How to Enable the Control
Navigate to Connection Settings from the AppTego portal, and expand the Certificate Trust section. Under this section you will find the Certificate Transparency Enforcement control. Click Enable to enable it for the next build or for it to be applied with a live push (if enabled).
API Configuration Example
{
"CertificateTransparencyPrevention": {
"protection": true
}
}| Field | Purpose |
|---|---|
protection | Enables certificate transparency enforcement for protected apps. |
Setup
- Identify the Android production domains that require certificate transparency enforcement.
- Confirm those domains serve certificates that include valid transparency evidence according to your certificate authority and CDN setup.
- Open the AppTego Portal.
- Enable Certificate Transparency for the intended configuration version.
- Add the protected domain names.
- Build a protected Android app.
- Test against production-like endpoints before promotion.
User And App Impact
If a domain presents a certificate that does not meet the configured transparency policy, the protected app can block the connection. Users may experience unavailable sign-in, sync, or API-backed features until the certificate chain is corrected.
Coordinate this control with the team responsible for certificates, CDN configuration, and incident response.