Time spent on mobile apps has increased exponentially in the past few years. The development team must safeguard with the tools and technology available at their disposal. We will review techniques for mobile app security. You may also reference Give Your React Native Apps a Titanium Shield Against Vulnerabilities and OWASP Mobile Top 10 for more information.
8 Steps to Improve Your Mobile App Security
Step 1: Implement SSL Pinning
SSL Pinning is used in client apps to prevent a Man-in-the-middle attacks (MITM) by validating server certificates. The certificate is evaluated even after the SSL handshake. Developers pin a trusted certificate(s) to the client application which gets compared against server certificate(s) at run time. If there is a mismatch, the app will refuse the connection to that server. SSL pinning can be done using a certificate or public key. Depending on your case you may choose one over another.
NOTE: The certificate gets bundled with the app, so certificate renewals will require the repackaging of your app.
Step 2: Jailbroken/Rooted Device Detection
Jailbroken/Rooted devices open the gate to vulnerabilities for apps. With Rooted access, the hacker app/individual can get access to the protected file system/data. The risk is even higher when someone can alter the app program files underneath. By supplementing jailbreak/root verification, we can block the app usage and prevent access to jailbroken(iOS) devices or rooted(Android).
Step 3: Restrict “Insecure” Connections (iOS)
<dict> <key>NSExceptionDomains</key> <dict> <key>localhost</key> <dict> <key>NSExceptionAllowsInsecureHTTPLoads</key> <true/> </dict> </dict> </dict>
In iOS apps, during development cycles we use Info.plist configurations to communicate with the localhost. The development of React Native apps requires the localhost server to be running. NSExceptionAllowsInsecureHTTPLoads allows insecure HTTP loads to localhost. This setting should NOT be bundled with a distributed app.
Step 4: Obfuscate the App While In Multi Select Screen
A malicious entity might retrieve background screenshots using privileged access to the application library folder. If an attacker is able to access the storage of the device, either through physical access or logical access to the file system, they may be able to extract sensitive information including but not limited to credit card number, address or other information.
- Android: When the state of the App changes to “background”, the “Flag_Secure” can be used to display the overlay screen.
- iOS: For iOS Apps, this can be achieved by creating a custom overlay screen, often, reusing the design as the ‘Splash’ screen.
Step 5: Block Screenshot Capture
Malicious actors can steal the data either by acquiring the device physically or logically. One can steal “Personal Identifiable Information” (PII)/ “Personal Health Information” (PHI)/ “Payment Card Information” (PCI) data by capturing screenshots from the App while it’s is running in the background. The “Flag_Secure” will ensure that when Android OS takes a screenshot, either manually or automatically, it will result in solid blank image. One may have to implement custom solution to achieve in iOS apps.
Step 6: Restrict API Access
Google Maps API is a paid service which allows applications to embed and search from the Google Maps Database. The usage can be abused by threat actors which will result into increasing costs to the API Key owners. The Apps would have to consume an API Key(unique identifier) to configure the Map. Untrusted sources should be restricted access the keys. Restrictions can be applied at the App level by using bundle identifier for Android or iOS Apps. Apart from that the API restrictions can also be implemented manually.
Step 7: Limit the Usage of Device Permissions
The user’s privacy is important, while the app may require device permissions for features, developers need to confirm the exact permissions the app would require. For example, Android offers two types of location permissions. We should determine the pertinent use cases when requesting permission.
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/> <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>
Step 8: Execute Regular Security Tests
Due to the types and amounts of threats emerging each day, it becomes a constant hustle to identify them and remediate. In order to ensure security, we need to run constant checks or security tests to identify threats. We should also perform “Penetration Testing” to identify any weakness that an attacker might use to potentially harm the app or users.
Few examples of tools can be used for Penetration Testing:
Tools can be used for code scanning:
Privacy and data safety are paramount to an organization and user base. Practicing the guidelines above you can safeguard your mobile app to ensure user data is secure. Security should be baked into product roadmap to account for an ever growing feature set requiring increased mobile data transactions. New vulnerabilities/security threats are discovered daily, it is the company’s responsibility to protect their customers. I recommend regularly running security tests to detect new threats and make necessary changes in a timely manner.
Perficient’s Mobile App Expertise
The Perficient Mobile Solutions team has extensive experience building mobile Apps. For more information about Perficient’s Mobile Solutions expertise, subscribe to our blog or contact our Mobile Solutions team today!