# App Hardening Suite

App Hardening Suite - the set of tools for Mobile Apps developers that help to solve and mitigate some specific security issues.

1. [Dynamic TLS Pinning](#about-dynamic-tls-pinning)
2. [Secret Vault](#about-secret-vault)

{% hint style="info" %}
Premium Users: View [premium documentation here](https://docs.talsec.app/premium-integration-documentations/).
{% endhint %}

<figure><img src="https://1666089280-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxFHPMAbn16uoDyOtoiaC%2Fuploads%2Fi8rOh3c2Ripr48z2P7c8%2FDynamicTLSpinning.png?alt=media&#x26;token=8bcf5273-5dae-4e6a-a880-ee198be7554d" alt="" width="563"><figcaption></figcaption></figure>

## About Dynamic TLS Pinning

Certificate pinning forces the client app to **validate the server’s certificate** against known characteristics/fingerprint (certificate, public key, hashed public key, etc.). Application without certificate pinning is prone to **man-in-the-middle** or **DNS spoofing** attacks.&#x20;

{% hint style="warning" %}
**Why should you choose Dynamic TLS Pinning over the static certificate pinning?**

Implementation of certificate pinning will usually use certificates hard-coded in applications. This approach will enforce both the **rebuild** of an application and the **update** for users when the hardcoded certificate is about to **expire** or is **revoked**. In applications that are pinning multiple certificates, this **enforcement may occur too often**.&#x20;
{% endhint %}

Talsec Dynamic TLS Pinning implements **dynamic certificate pinning**. It solves the problem by transferring trust from hard-coded certificates to hard-coded **"master" keys**. This way, we can **separate the lifecycles of certificates and trusted keys**. Talsec uses a **trust list**, a collection of server certificates signed by the key trusted by all clients. After successful signature verification, certificates can be used for certificate pinning.

Data of trust lists are **hard-coded and/or transferred over a network** to a client using a specified format. The same data can be represented in multiple formats. We also provide tool for public key obfuscation.

<figure><img src="https://1666089280-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxFHPMAbn16uoDyOtoiaC%2Fuploads%2FYfuI5rlDGvTuEHixbhMU%2FAppHardering%20(2).png?alt=media&#x26;token=4a51c3ad-424b-42c4-bd29-f6ccbd93efb7" alt=""><figcaption></figcaption></figure>

***

<div data-full-width="false"><figure><img src="https://1666089280-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxFHPMAbn16uoDyOtoiaC%2Fuploads%2Fqq4U9x0eAYHwSxVVijSE%2FSecretVault.png?alt=media&#x26;token=e4ba6d23-0a39-4fc6-8344-e65af8f00ca0" alt="" width="563"><figcaption></figcaption></figure></div>

## About Secret Vault

Talsec's Secret Vault offers a robust solution to the prevalent issue of **secret leakage** in applications. By **dynamically provisioning secrets** and eliminating the need to hardcode them within your code, Secret Vault adds a layer of security that protects your sensitive data from prying eyes. This innovative approach safeguards your **API keys**, **encryption keys**, **tokens**, and other confidential information from both manual reverse engineering and automated secret extraction tools.

<figure><img src="https://1666089280-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxFHPMAbn16uoDyOtoiaC%2Fuploads%2Fzu3EIMJPb9U39BPnYuqq%2F%7BD9E1D429-A152-4E7F-BC39-F606AF3C7639%7D.png?alt=media&#x26;token=cc29283f-3152-4069-b7cf-c61c420bc8c4" alt=""><figcaption></figcaption></figure>

The Secret Vault's user-friendly integration allows you to seamlessly replace secret strings in your code with a secure and dynamic alternative.  With Secret Vault, you can rest assured that your application's secrets remain confidential, even in the face of sophisticated threats. By dynamically updating the MagicFile, you can keep your secrets up-to-date and protected without compromising the functionality or efficiency of your application. Secret Vault is an essential tool for any developer seeking to enhance their application's security and safeguard their sensitive data.