How Secure is Your Mobile App? — Part 1
Developing or creating Mobile Application is the easy part for developers. After they release it, they think that it is the nice app and secure for user. On the other hand, attackers out there are fad to penetrate the app by using their skills and tools, it is called Penetration Testing.
Penetration testing (or pen testing) is a security exercise where a cyber-security expert attempts to find and exploit vulnerabilities in a computer system. The purpose of this simulated attack is to identify any weak spots in a system’s defenses which attackers could take advantage of — Cloudflare.com
Usually, the company has development stages before the app can be released to public, like it has to pass the scanning process from the security department, then they will perform several testing scenarios, which gives output a test report and some explanations to strengthen data security.
If they don’t have the security department, they can use third party security company who are experts in their fields. Here is the sample report of penetration testing.
As we can see from the severity ratings and the chart of vulnerabilities by impact, it shows that the higher the score, then it is the most important and dangerous part if not given protection. For example in the left-below image, there is the test result of Insufficient Lockout Policy that is Critical. How it can be said as critical impact? There is the references and explanations about it, so we can’t ignore all of the reports just by seeing the summary, we have to see one by one the explanations about it, in order we know the impact to our users even to our company.
So, in part 1, I wanna share with you the things that we have to be concern about data security. It is from my experience and I also had pentest reports with results like the one above.
1. Never put the credential data in Local Storage
The common credential data for mobile app is username and password. It can be found when we login to the app. But it does not rule out the possibility for some other data, like id card, phone number, address, etc. Never put such important data in Local Storage, because the attackers can penetrate it using rooted or jailbroken device.
2. Don’t store all the raw resource files in Local Storage
Resource files, such as images, local databases, etc; are things that applications need to support application performance, in this case caching is very useful when users have to use the application repeatedly. But don’t store all of the important resource files as the raw files in Local Storage (just like number 1 explanation), we can use the url link for fetching resource files or using base64/sha256 format with keychain to store it.
3. Encrpyt mobile communication — Certificate and Public Key Pinning
The client-server communication can be intercepted using pentest tools, like Burp Suite. It can intercept by detecting the request API and getting the response. If we don’t encrypt the communication between it, all the data can be shown.
The best solution to protect it is using Certificate and Public Key Pinning. Mobile app (client) must pin the same certificate as the server-side. If it’s valid, the communication can be forwarded. If it’s not valid, mobile app will reject it.
Certificate pinning restricts which certificates are considered valid for a particular website, limiting risk. Instead of allowing any trusted certificate to be used, operators “pin” the certificate authority (CA) issuer(s), public keys or even end-entity certificates of their choice. Clients connecting to that server will treat all other certificates as invalid and refuse to make an HTTPS connection — Digicert.com
4. Root and Jailbreak detection
I think the detection for rooted and jailbroken device is important thing to be implemented for all mobile applications, especially if we have many users. Why? Jailbreaking is the process of removing the limitations imposed by Apple and associated carriers on devices running the iOS operating system. To “jailbreak” means to allow the phone’s owner to gain full access to the root of the operating system and access all the features. Similar to jailbreaking, “rooting” is the term for the process of removing the limitations on a mobile or tablet running the Android operating system.
5. Code obfuscation
Code Obfuscation is a form of protection so that code is difficult for others to break. The essence of obfuscation is to disguise/make code difficult to read. Obfuscation can be done manually or with a tool called an “obfuscator”. Meanwhile, from the reverse engineering side, the process of returning from this cryptic form is called “deobfuscation”. Here is the sample of code obfuscation from private class package.
For mobile app, Android has prepared an obfuscation code tool called Proguard. Proguard contains some code rules which can be obfuscated, which classes should be covered and we can give some exceptions in these rules. Here is the code obfuscation output of proguard implementation.
6. Prevent background screen caching
Many of us don’t realize with the background screen caching process that happens in iOS. Apple uses a screen caching method by taking a snapshot when we switch applications in the app switcher. We can check all of our apps that is installed in our iPhone by switching the app. If the app is blurred or just showing the full screen + app logo, it prevents the snapshot, so the caching can’t be seen by others. But, if the app is not blurred, the caching is taking all the screens.
If we want to check the snapshot data, we can download iExplorer, then connect our iPhone to Mac and open it. We can see the list of apps and it has the folder Documents, Library and tmp . All of the snapshots are stored in Library -> Caches -> Snapshots folder.
That’s all for securing our mobile app, it is based on my experiences. If you’re the security people who are always doing penetration testing, you can share in the comment section below, probably I miss some important things about data security.
In part 2, I will share to you how to implement security with the points above to our mobile app in Android and iOS, also in React Native. Last but not least, remember that:
Data is the only thing that matters — Anonymous
