iOS and Android Security Measures — an Overview
Smartphone nowadays is a digital twin of the user. Security should always come first when we talk about the essential elements of an app in this era. Login credentials, session tokens and data passing through your server and your app should be well-protected. Once your users lose trust on your app due to security loopholes, they will never come back.
So I will talk about some basic security practices to implement an app.
1. HTTPS Connection
The network connections your app will make should always be in HTTPS connections. In 2k19, these is no way that you gonna transmit your data in plain text under the HTTP protocol. You have to ensure any network connection happened in your app is under the HTTPS protocol and reject the connection if otherwise.
2. Certificate Pinning
Certificate Pinning (SSL pinning) is mainly to prevent Man-in-the-middle attack between mobile apps and web api services. Using HTTPS connection only is not enough as attackers will fake the validity of certificate and present that certificate to the mobile apps as illustrated below.
Possible MiTM with no certificate pinning
Therefore, the implementation is to pin, or to store, the certificate of the server within the app bundle such that the app can verify the HTTPS connection by comparing the public key or the whole certificate.
Certificate pinned in the app
It is like whitelisting servers that the app needs to connect by bundling the certificates inside the app. It is both configuration in iOS and Android and is a standard mentioned by OWASP.
For iOS, you can look into this URLSession method. And if you are using popular networking libraries like Alamofire, it has fully support on SSL pinning too.
3. Sensitive Data Storage
Sensitive information should never be saved in a file somewhere in the app. Instead it should be stored in app memory and be cleared upon app termination.
For data that needs to be saved locally like passwords, session keys and cryptographic keys, iOS app can make use of Apple’s Keychain Service and Google’s KeyStore Service for Android. They both provide the most secured way to save confidential data to the chips of the smartphone instead of storing data in the app level.
4. Sensitive Input & Client-Side Injection
For sensitive input like password or credit card number CVV number, the app should use a secured entry for these inputs to show dots instead of plain text in the screen. All the input text field should best have client side and server side validations. For example, input for mobile number should only allow numbers instead of alphabetic letters to prevent unnecessary injection of unwanted contents to the server.
5. Binary Protection
Since Android app is written in Java, extra protection of the source code is needed. Java source code written for Android apps is compiled into Java bytecode which can be easily decompiled by reverse engineering. Bytecode obfuscation is a must to add to the compiled Java bytecode. The most common tool for code obfuscation is ProGuard.
Also, your app should prevent Jailbroken or Rooted devices from running your app.
6. Two-factor Authentication (2FA) and Session Timespan
Say if your app allow users to login, the timespan of the login session should be set in a reasonable period. The expiration time should not be set too short such that causing inconvenience to user to re-login frequently. The time can be set as 2–4 weeks and no longer than 6 months.
If your app allow users to make payment, Two-factor Authentication should also be implemented. A 4 to 6-digit SMS code will be sent to the user previously registered mobile number to verify user's transaction, adding an extra layer of security to authenticate the user’s identity.
7. End-to-end Encryption (E2EE)
On top of the SSL Pinning, we can even add one more layer of security to the communication of two destinations, eg. app to server, or app to app.
You must have seen WhatsApp telling you that your conversation is secure because end-to-end encryption has been enabled. The basic idea is two parties(contact persons) also perform a public encryption on the conversation, by exchanging their public keys and holding the private key securely in the app, such that no one, including WhatsApp company, can decrypt and peek the messages.
You can also implement similar idea for the app and the server to encrypt some confidential data, but it would probably be an overkill for a general purpose app, not to mention if SSL pinning is on.
8. Runtime Application Self Protection (RASP)
By preventing Jailbroken or Rooted devices from running your app, merely checking the logic at app launch will not be optimal. For Hackers who can run your app in realtime and alter the data, state and code, without RASP, your app will be in danger.
When a runtime threat is detected, RASP frameworks will stop the threat to tamper with your app or perform a dynamic analysis. For example, to prevent encryption keys stolen in runtime, to prevent reverse engineering and so many more.
This is the end of my overview on mobile security measures. In my opinion, a normal app will be well secured if you have implemented the first 5 items which are HTTPS Connection, Certificate Pinning, Sensitive Data Storage, Sensitive Input & Client-Side Injection and Binary Protection.
Hope you will find this useful :).
Cheers!
