What is Mobile Apps Security?
The topic of this Cobalt Matters session was mobile apps security. Keeping the code and the data secure when it comes to an application is essential, and there are multiple ways to achieve this, from cache, logs, encryption to data access settings. We discussed a list of basic security measures that can be implemented in mobile apps and we are sharing it in this blog post.
APKs can be easily decompiler using tools, for example, dex2jar and http://www.javadecompilers.com/. Proguard can be used to make a potential attacker’s life harder to read the code. It renames the classes, fields, and methods using short meaningless names.
On iOS, the compiler it strips out symbols and does a lot of optimizations, but a tool such as SwiftShield can be used for extra security.
On iOS, information can be encrypted in the Keychain.
On Android, there is no integrated solution but there are multiple 3rd party libraries you can choose from.
Disable Keyboard Cache
Sensitive data can be displayed as suggestions if the keyboard cache is enabled for text fields. This data is stored and visible to anybody with access to the device, so it’s recommended to turn off the keyboard cache.
On Android, to disable it, use android:inputType=”textNoSuggestions”.
On iOS, to disable it, use autocorrectionType = false.
Information passed through an HTTP connection is not encrypted, meaning that it can be easily stolen. HTTP packets can be easily seen by using a tool such as Fiddler. For this reason, it is recommended that all the requests from a mobile app are made through HTTPS. HTTPS uses an SSL (secure sockets layer) certificate, which creates an encrypted connection between the server and the client.
Logs are frequently used in mobile apps, for debugging, statistics, or crash reporting. But logging information can be dangerous because other applications might be able to read them.
On Android, ProGuard can be used in order to remove logs for release builds.
On iOS, logs can be configured to be visible only for debug builds.
Root & Jailbreak detection is recommended in order to make reverse engineering efforts more difficult. Attackers can use reverse engineering tools in order to access sensitive information inside the app. Preventing apps from running on rooted/jailbroken devices can block some of those tools.
On iOS, the detection can be implemented by using several methods, such as checking for files and directories associated with a jailbroken OS or checking file permissions.
On Android, there are also several ways that a rooted device can be detected. One of the easiest ways is to use Crashlytics’ method CommonUtils.isRooted.
You should consider that if a rooted/jailbroken device is detected, you might block the app and delete all of its data.
App in Background → Hide Content
When an app is minimized, a screenshot of the application is automatically created by both iOS and Android, in order to be displayed in the recent apps view. On iOS, the screenshots are stored in a local folder on the device and will be available until the app is re-opened. On Android, the screenshots are kept in the phone’s memory.
The screenshot will be visible by anyone using the phone, and if the screenshot contains sensitive information, they are considered a risk.
On iOS, this issue can be solved by adding an overlay to the app when the app becomes inactive and hiding the overlay when the app is active. This can be achieved by using the applicationWillResignActive and applicationDidBecomeActive methods.
On Android, the OS will hide the content of the app automatically if the app uses the FLAG_SECURE flag, like so: getWindow().setFlags(WindowManager. LayoutParams.FLAG_SECURE, WindowManager.LayoutParams.FLAG_SECURE);
Note: Using this flag on Android will prevent users from taking screenshots while the app is opened, which might not be desired for some apps.
Disable Old Versions
By default, apps do not have a mechanism to force a user to update the apps to the latest versions. This can be a problem if a security issue is found in a version of an app because vulnerable versions will still be usable after a fix is published.
PS: Android recently announced a mechanism for supporting in-app updates: https://developer.android.com/guide/app-bundle/in-app-updates
There are several security measures that can be easily implemented inside apps and which have a big impact on the overall security. It is recommended that you start implementing them as soon as possible in the development process.
None of the security measures described in this article can create a 100% secure application, but each of them helps increase the overall security.