6 Mobile Application Security Techniques Six questions to ask yourself or your development team to make sure you are taking mobile security seriously. Annika Hey Design Principal Atanas Atanasov Software Development Manager – Agile Frameworks Björn Stansvik Founder & Chief Executive Officer Daniela Nazim MentorMate Alumni Dimitar Dobrev MentorMate Alumni Craig Knighton Chief Operating Officer Eleonora Georgieva Global VP, Delivery George Dormishev System Administration Manager Ivaylo Kostadinov Director, Software Engineering - .NET Jamie Bolseth MentorMate Alumni Jay Miller President Jeni Kyuchukova Director, Quality Engineering Jessica Anderson VP of Finance and Administration Liz Spolyar Global Director, Continuation Engineering Nick Curran Technical Architect Nikolay Lyubchev Global Director, Talent Acquisition, MentorMate Stefan Tsvyatkov Director, Software Engineering - Mobile Stefan Tzanev Chief Financial Officer Vesselin Dobrev General Manager (Bulgaria) Sylvia Vassileva Software Development Manager - Spok Filip Gajtanovski Software Development Manager - Storyworks Krasimir K. Nikolov VP of Technology Katherine Kelly Director of Operations (USA) Carrie Siewert Strategic Account Manager Brady Swanson Global Director, Marketing Eve Poeschl MentorMate Alumni Ryan Peña MentorMate Alumni Vassil Vassilev Software Development Manager - .NET Pavel Petrov Director, Software Engineering - LAMP&FE Ivan Peev Senior Technology Manager Bob Reuss MentorMate Alumni Vera Kasapova QA Manager Greta Yamacheva QA Manager Robert Samuelsson General Manager (Sweden) Kyle Simmons Solutions Architect Robin Thomas Solutions Architect Nataliya Naydenova MentorMate Alumni Adam Malone Alexander Dimitrov Enterprise Architect Andrea Kates CEO, LaunchPad Central Andrew Eklund CEO, Ciceron Andrew Marinov Angel Nikolov MentorMate Alumni Anurag Shukla Aron Wolde MentorMate Alumni Ashley Goodridge Office Assistant Benjamin Gramlich MentorMate Alumni Chris Black MentorMate Alumni Christa Haeg MentorMate Alumni Colin Lee MentorMate Alumni Deyan Stoynov MentorMate Alumni Dimitar Danailov MentorMate Alumni Dobrinka Tabakova Doug Leatherman Emily Genco MentorMate Alumni Fanka Vassileva Gabriela Zagarova MentorMate Alumni Gary Conkright CEO, physIQ Gary Fingerhut Executive Director, Cleveland Clinic Innovations Gavin Finden MentorMate Alumni Georgi Graham Klang Hyusein Hyuseinov Senior Automation QA Ian Good Global VP, Operations Iva Jack Cosentino James Williams John Byrne Kaloyan Stoilkov MentorMate Alumni Kosta Hristov Krasimir Gatev Senior Android Developer Lazar Petrakiev Lyubomir Dobrev Senior .NET Developer Lubomir Velkov Marin Yotovski Mark Smith MentorMate Alumni Martin Dimitrov MentorMate Alumni Martin Kalyonski Mike Hagan MentorMate Alumni Nikolay Andonov Nikolay Arhangelov Riley Panko Guest Contributor Roger Ferguson MentorMate Alumni Ryan Sysko Chairman, WellDoc Ryan Blake MentorMate Alumnus Sarah Rockholt MentorMate Alumni Sean McDevitt CEO, Sensei Siyana Slavova Stanislas Walden MentorMate Alumni Stanislav Atanasov Stanislava Bogdanova MentorMate Alumni Stefanie Trimble MentorMate Alumnus Stephen Fluin Stoyan Stoyanov MentorMate Alumnus Tessa Cacek Staffing Manager Tom Clemens MentorMate Alumnus V8 JavaScript Engine Viktor Mitev Yolanda Petkova Marketing Design Lead Pete Anderson Lead Product Owner, Target Vasil Nonchev Java Software Development Manager Dilyana Totseva QA Manager Stanimir Nikolov Software Development Lead - iOS, MentorMate Rosen Kolev Technology Principal Dimitar Mihaylov MentorMate Alumni Nikola Genov Software Architect - .NET Neli Todorova Software Development Manager - LAMP Yavor Dimitrov MentorMate Alumni Georgi Karanedyalkov Software Development Lead - Android, MentorMate Denislav Ganchev Technology Principal Stefan Shopov QA Manager Konstantin Rusev Java Developer Borislav Dimitrov Senior Android Developer, MentorMate Tsvetelina Lazarova MentorMate Alumni Dimitar Gadzhev Developer Plamen Stoev Software Development Manager - Front-end Jake Nelsen Senior Experience Designer Zlati Pehlivanov Senior Software Engineer II Kate Tolmie Senior Experience Designer Martin Angelov Director, Software Engineering - LAMP&FE, MentorMate Dimitar Zhelev Senior .NET Developer Joel Swenson Content Manager Kiril Ivanov Quality Assurance Analyst Viktor Hristoskov Software Development Lead - iOS, MentorMate Violeta Nikolcheva Database Developer Biliana Kadakevlieva Senior Quality Assurance Analyst Chris McLeod Senior Solutions Consultant Antonii Georgiev Junior .NET Developer Alexander Rusev Front-End Developer Matt Erickson MentorMate Alumni Brian Buchkosky Global Director, PMO David Tran MentorMate Alumni Kristin Krueger MentorMate Alumni Magdalena Chervenkova Business Analyst Denny Royal Chief Design Officer Joe Bodell MentorMate Alumni Viktoria Chuchumisheva HR Manager Kalina Tekelieva Senior Content Marketing Artist Daniel Rankov MentorMate Alumni Alexander Alexandrov BA Lead MentorMate Clint Rowles VP, Business Development Nikola Donev SysOps & DevOps Lead Tseko Tsolov Frontend Developer Denislav Lefterov Automation QA Analyst Dilyana Kodjamanova MentorMate Alumni Emma Jorstad Project Manager, Lead Georgi Georgiev Software Development Lead - LAMP, MentorMate Martin Panayotov Senior iOS Developer, MentorMate John Blake Senior Account Manager Tyler Compton Solutions Architect Nikola Peevski Software Developer — Lamp & Front-End Aaron Whitney Director of Client Strategy Veliko Ivanov Senior Cloud Engineer Suzanne O’Brien Senior Project Manager Svetlin Stanchev Software Development Lead - Front-end, MentorMate Todor Todorov Senior Cloud Engineer Kate Stamatova Senior QA Analyst Frank Anselmo Global Director, Project Management Gyuner Zeki Solutions Architect Galin Stanchev QA Analyst Sarah Hoops Business Development Manager Brenden Diehl Business Development Manager Anna Krivova Software Development Lead - Front-end, MentorMate Ivelina Kavalova Senior Business Analyst, MentorMate Paul Sanders MentorMate Alumni Jim Cikanek Senior Client Strategist Samuil Yanovski Software Development Manager - Android, MentorMate Krasimir Gatev Senior Android Developer, MentorMate Kristina Goryalova Talent Acquisition Manager Elena Petrova HR Specialist Jay Matre Senior Business Architect, MentorMate Lilyana Dimitrova QA Specialist Josh Marquart Chief Strategy Officer Mario Gorki Senior Mobile Developer Simeon Zhekov Cloud Engineer Hristo Stoyanov Cloud & DevOps Lead Ben Wallace Enterprise Architect Boyan Stoyanov Data & Dota Specialist Petya Ivanova Director, Software Engineering - Java Sebastian Ortiz-Chamorro VP of Engineering, Latin America Consuelo Merino Director of Operations Securing mobile apps is complex, especially when sensitive data needs to be stored locally on the mobile device. Security is one of the most critical characteristics of mobile apps in verticals such as financial, insurance and healthcare. In many instances, mobile apps must adhere to a variety of privacy standards (FDA, HIPAA, etc.) and often require offline capabilities and online network communication, whether on a small-scale network, the cloud or the web. Audit your mobile application security by asking yourself (or your developer) these six questions: Secure application integrity 1. Do you obfuscate the binary executable file as part of the build? Compiled, binary source code can be obfuscated in order to make it more difficult to decompile and reverse engineer using tools such as Proguard (for Android). For the iOS platform, a different technique can be applied to rename strategic class names and method names as part of the preprocessor phase (e.g. PersonalData -> NSNumber_Extension) and enable deployment post processing, and strip linked products to hide the important parts of the code. 2. Are app integrity checks performed during runtime? Repackaging is often used by a malicious attacker as a way to trick users into providing private information or to install malware. By checking the application signature with which the application was signed against the expected signature, we can determine at runtime whether or not the app has been compromised. In addition, you can also checksum your binary by putting a well hidden MD5 hash (preferably a salted hash or double-hash) somewhere in your app, which makes it more difficult for a potential hacker to figure out how to get the correct hash. Where you store it doesn’t matter (as long as it’s not in the binary) and then set up a script that will re-generate the new hash at every build (when your binary changes). In your code, check the stored hash against the binary. If they are different, that means the binary has been modified, in which case it should display an error message asking to re-download the app. Secure locally stored data 3. Does your app encrypt its local storage? A best practice to ensure locally stored data is not readable on compromised devices is to encrypt the data with AES, DEC or other standard encryption algorithms. The SQLite local databases can be encrypted on iOS and Android, on a file level and on an individual data field level. A popular open source library for encryption at file level is SQLCipher. A unique private key for the encryption is dynamically generated for each device, but not hardcoded in the source code in order to minimize risk of obtaining the key by decompiling/reverse engineering the mobile app executable. Be aware that the tradeoff of any encryption applied is increased code complexity and more intensive processing on the device, which impacts performance and battery life. 4. Is compromised local data being detected by the app? Mobile apps cannot detect when local storage is being accessed by an external entity to read data on a compromised device. However, one can detect when local storage has been compromised by accessing encrypted files from a separate application process that is signed with the same signature as the main application. Additionally, data field checksums generated using MD5 or SHA1 algorithms may invalidate a data file if it’s being modified by an unauthorized code. Secure data transfer 5. Do you use a secure connection to access APIs or data sources? Always transfer data from/to external services and the cloud using secure HTTPS-encrypted protocol. Furthermore, to secure serial communication, a best practice is to have every data packet encrypted and decrypted at runtime by applying a standard encryption algorithm, such as AES or DEC. 6. Does the app session expire? Access to remote data should expire during a certain period to protect the data in the event a user left the device unattended. This feature is available for all mobile development approaches. For native apps, it is possible to detect when the app is suspended in order to terminate the session and require a user to authenticate the next time they launch the app. A few additional techniques for maximizing security that are worth mentioning: Preventing the mobile app from running on a jailbroken/rooted device Preventing taking screenshots of the app screens Detecting if the application is running on an emulator Restricting debuggers Overall, there are multiple approaches to securing mobile apps and each one comes with pros, cons and risks. Understanding the implications of each technique is essential for a solid mobile strategy. MentorMate uses extensive knowledge base and continuous research on ever-changing mobile platforms and development frameworks to provide strategic IT and technology consulting services to help companies adopt mobile and minimize risks. Image Source: Unsplash, Siarhei Horbach Tags MobileQuality AssuranceDevelopmentSecurity Share Share on Facebook Share on LinkedIn Share on Twitter Share Share on Facebook Share on LinkedIn Share on Twitter Sign up for our monthly newsletter. Sign up for our monthly newsletter.