Securing mobile apps is complex, especially when sensitive data needs to be stored locally on the mobile device. Security is one of the most critical characteristics of mobile apps in verticals such as financial, insurance and healthcare. In many instances, mobile apps must adhere to a variety of privacy standards (FDA, HIPAA, etc.) and often require offline capabilities and online network communication, whether on a small-scale network, the cloud or the web.
Audit your mobile application security by asking yourself (or your developer) these six questions:
Secure application integrity
1. Do you obfuscate the binary executable file as part of the build?
Compiled, binary source code can be obfuscated in order to make it more difficult to decompile and reverse engineer using tools such as Proguard (for Android). For the iOS platform, a different technique can be applied to rename strategic class names and method names as part of the preprocessor phase (e.g. PersonalData -> NSNumber_Extension) and enable deployment post processing, and strip linked products to hide the important parts of the code.
2. Are app integrity checks performed during runtime?
Repackaging is often used by a malicious attacker as a way to trick users into providing private information or to install malware. By checking the application signature with which the application was signed against the expected signature, we can determine at runtime whether or not the app has been compromised. In addition, you can also checksum your binary by putting a well hidden MD5 hash (preferably a salted hash or double-hash) somewhere in your app, which makes it more difficult for a potential hacker to figure out how to get the correct hash. Where you store it doesn’t matter (as long as it’s not in the binary) and then set up a script that will re-generate the new hash at every build (when your binary changes). In your code, check the stored hash against the binary. If they are different, that means the binary has been modified, in which case it should display an error message asking to re-download the app.
Secure locally stored data
3. Does your app encrypt its local storage?
A best practice to ensure locally stored data is not readable on compromised devices is to encrypt the data with AES, DEC or other standard encryption algorithms. The SQLite local databases can be encrypted on iOS and Android, on a file level and on an individual data field level. A popular open source library for encryption at file level is SQLCipher. A unique private key for the encryption is dynamically generated for each device, but not hardcoded in the source code in order to minimize risk of obtaining the key by decompiling/reverse engineering the mobile app executable. Be aware that the tradeoff of any encryption applied is increased code complexity and more intensive processing on the device, which impacts performance and battery life.
4. Is compromised local data being detected by the app?
Mobile apps cannot detect when local storage is being accessed by an external entity to read data on a compromised device. However, one can detect when local storage has been compromised by accessing encrypted files from a separate application process that is signed with the same signature as the main application. Additionally, data field checksums generated using MD5 or SHA1 algorithms may invalidate a data file if it’s being modified by an unauthorized code.
Secure data transfer
5. Do you use a secure connection to access APIs or data sources?
Always transfer data from/to external services and the cloud using secure HTTPS-encrypted protocol. Furthermore, to secure serial communication, a best practice is to have every data packet encrypted and decrypted at runtime by applying a standard encryption algorithm, such as AES or DEC.
6. Does the app session expire?
Access to remote data should expire during a certain period to protect the data in the event a user left the device unattended. This feature is available for all mobile development approaches. For native apps, it is possible to detect when the app is suspended in order to terminate the session and require a user to authenticate the next time they launch the app.
A few additional techniques for maximizing security that are worth mentioning:
- Preventing the mobile app from running on a jailbroken/rooted device
- Preventing taking screenshots of the app screens
- Detecting if the application is running on an emulator
- Restricting debuggers
Overall, there are multiple approaches to securing mobile apps and each one comes with pros, cons and risks. Understanding the implications of each technique is essential for a solid mobile strategy. MentorMate uses extensive knowledge base and continuous research on ever-changing mobile platforms and development frameworks to provide strategic IT and technology consulting services to help companies adopt mobile and minimize risks.
Image Source: Unsplash, Siarhei Horbach