[Cobalt Matters] Basic Measures To Improve Mobile Apps Security

APKs can be easily decompiler using tools, for example, dex2jar and http://www.javadecompilers.com/. Proguard can be used to make a potential attacker’s life harder to read the code. It renames the classes, fields, and methods using short meaningless names.

On iOS, the compiler it strips out symbols and does a lot of optimizations, but a tool such as SwiftShield can be used for extra security.

On iOS, information can be encrypted in the Keychain.

On Android, there is no integrated solution but there are multiple 3rd party libraries you can choose from.

Sensitive data can be displayed as suggestions if the keyboard cache is enabled for text fields. This data is stored and visible to anybody with access to the device, so it’s recommended to turn off the keyboard cache.

On Android, to disable it, use android:inputType=”textNoSuggestions”.

On iOS, to disable it, use autocorrectionType = false.

Information passed through an HTTP connection is not encrypted, meaning that it can be easily stolen. HTTP packets can be easily seen by using a tool such as Fiddler. For this reason, it is recommended that all the requests from a mobile app are made through HTTPS. HTTPS uses an SSL (secure sockets layer) certificate, which creates an encrypted connection between the server and the client.

Logs are frequently used in mobile apps, for debugging, statistics, or crash reporting. But logging information can be dangerous because other applications might be able to read them.

On Android, ProGuard can be used in order to remove logs for release builds.

On iOS, logs can be configured to be visible only for debug builds.

Root & Jailbreak detection is recommended in order to make reverse engineering efforts more difficult. Attackers can use reverse engineering tools in order to access sensitive information inside the app. Preventing apps from running on rooted/jailbroken devices can block some of those tools.

On iOS, the detection can be implemented by using several methods, such as checking for files and directories associated with a jailbroken OS or checking file permissions.

On Android, there are also several ways that a rooted device can be detected. One of the easiest ways is to use Crashlytics’ method CommonUtils.isRooted.

You should consider that if a rooted/jailbroken device is detected, you might block the app and delete all of its data.

When an app is minimized, a screenshot of the application is automatically created by both iOS and Android, in order to be displayed in the recent apps view. On iOS, the screenshots are stored in a local folder on the device and will be available until the app is re-opened. On Android, the screenshots are kept in the phone’s memory.

By default, apps do not have a mechanism to force a user to update the apps to the latest versions. This can be a problem if a security issue is found in a version of an app because vulnerable versions will still be usable after a fix is published.

PS: Android recently announced a mechanism for supporting in-app updates: https://developer.android.com/guide/app-bundle/in-app-updates

There are several security measures that can be easily implemented inside apps and which have a big impact on the overall security. It is recommended that you start implementing them as soon as possible in the development process.

None of the security measures described in this article can create a 100% secure application, but each of them helps increase the overall security.