Network Protection
Network protection controls harden how protected apps connect to backend services. They reduce exposure to interception, downgrade attacks, cleartext traffic, unexpected certificate chains, and policy-violating network conditions.
Network policy can affect login, payments, analytics, support tools, and third-party SDKs. Coordinate changes with backend, infrastructure, mobile, QA, and support teams before strict production enforcement.
Network Control Matrix
| Control | Platforms | Minimum plan | Execution | Use when |
|---|---|---|---|---|
| Certificate Pinning | Android, iOS | Enterprise | Runtime with packaged policy | API connections should only trust approved certificate keys. |
| Certificate Transparency | Android | Enterprise | Build-time policy with runtime enforcement | Android TLS certificates should meet transparency policy for protected domains. |
| Cleartext Traffic Prevention | Android | Enterprise | Build-time hardening | Plain HTTP should be blocked in protected builds. |
| TLS 1.3 Only | Android, iOS | Enterprise | Runtime policy on supported platform APIs | Required services support TLS 1.3 and downgrade resistance is required. |
| Proxy Usage Detection | Android, iOS | Team | Runtime detection | Intercepting proxies should be detected and logged or blocked. |
Recommended Network Profiles
| Profile | Recommended controls |
|---|---|
| Baseline production app | Keep all endpoints on HTTPS, enable Proxy Usage Detection in Log mode where available, and add Cleartext Traffic Prevention for Enterprise Android builds. |
| Regulated or high-value API | Certificate Pinning, TLS 1.3 Only where endpoint and OS support is confirmed, Proxy Usage Detection, and clear customer messaging for blocked connections. |
| Strict Android certificate policy | Certificate Pinning plus Certificate Transparency for production API domains. |
| Enterprise-managed deployment | Validate certificate pinning and proxy policy against approved network inspection requirements before enforcement. |
Rollout Guidance
- Inventory every backend, CDN, authentication, analytics, and third-party endpoint used by the app.
- Confirm TLS versions, certificate authorities, certificate rotation process, and fallback endpoints.
- Enable network controls in Development or Staging first.
- Test normal traffic, expired or wrong certificates, captive portals, VPN/proxy conditions, and managed devices.
- Coordinate certificate and TLS changes with backend, infrastructure, and support teams.
- Enforce strict responses only after the app release and backend certificate plan are aligned.
Operational Checklist
| Area | What to confirm |
|---|---|
| Domain inventory | Production APIs, authentication, payments, CDN, analytics, support, and third-party endpoints are known. |
| Certificate lifecycle | Rotation dates, backup certificates, and ownership are documented. |
| Test coverage | Normal traffic and expected failure cases are validated in Staging. |
| User messaging | Blocked users receive clear guidance where appropriate. |
| Enterprise networks | Managed proxy or inspection requirements are understood before enforcement. |
Coverage Notes
TLS 1.3 Only applies only where the platform and networking APIs support enforcement. Validate iOS 13+ and Android API 29+ behavior, and separately configure third-party HTTP clients or native networking stacks when they bypass platform defaults.
Certificate Pinning and Certificate Transparency are domain-policy controls. Keep backend, CDN, disaster-recovery, and certificate rotation plans aligned with the protected app release schedule before enforcing strict responses.