Developing Secure Mobile Applications

Mobile app security is one of the major issues troubling the software development fraternity. With the growing acceptance of apps as a point of sale/contact for a business, ensuring adequate security measures is critical. The data breach can have devastating impacts not only on your bottom line due to lack of user confidence and diminishing customer loyalty but also on your brand reputation.

In my previous blog about mobile app security threats, I had mentioned about some of the methods utilized by hackers for stealing sensitive data from mobile applications. The blog also mentioned who are the target audiences of such attacks and why such attacks happen. Today, let us go through few approaches that will help us develop secure mobile applications

• Application Tampering Detection:
  • As a developer, we need to make sure the application is signed with a key while distributing the application; be it in alpha or beta release for few test groups, be it a soft Launch or a market release
  • While loading the application, as a sanity check, make sure all libraries used by the application are not altered in any manner
  • Check the APK Signature. Many times developers don’t check this for their sandbox releases.
• Understanding “Reversing & Code Obfuscation”:There are many tools available in the market which can be used to easily reverse engineer your app, like: Dex2Jar, AXMLPrinter2, Smali/baksmali, jd and many more. Once reversed, attackers look for Hardcoded and bootstrap credentials; determine the flow of the app and encryption type used to gain access to other sensitive information.It’s recommended that we obfuscate all the code files by using tools like Proguard, Obfuscar, etc. Obfuscating the code hides methods / variables names and makes the code unreadable and deters reverse engineering, making it hard to understand the flow and pattern used in the application. However, only using code obfuscation leads to a false sense of security, as many de-obfuscating / un-obfuscating tools are available and can be used.
• Encryption:Encryption plays a key role in securing your app. Encrypting all the required information in the app assures that no one else would be able to read, understand and make use of the information.How?
  • Run a symmetric/asymmetric encryption on all your assemblies. We can utilize asymmetric encryption with the help of OpenSSL to encrypt the assemblies, followed by delivering the assemblies either by embedding them in the application or by downloading them from a trusted server.
    The assemblies are then decrypted and run in memory. For example, consider developing a game on a Unity3D platform. The game can be redesigned by hackers through alteration of data files or by changing the physics of the game. The hacker could also modify the assemblies to gain extra virtual money in the game. As a developer, one should always ensure that the assemblies and data files are encrypted so that crackers/cheaters don’t cheat in the game.
  • Encrypt Configuration files, PLIST, XML, etc. Decrypt and load them in memory
  • Encrypt your database
• Avoid using built-in key chains or key stores:Keychain and key stores are your mobile’s safety deposits having credentials and other sensitive information, hackers / crackers tend to attack them first. Tools like keychain dumpers or snoopers can be used to extract such sensitive information.
• Clearing Memory:Attackers can dump the memory of a running app and later retrieve that information for examination. Hence, it is recommended to clear the memory whenever possible.

These are some of the secure development guidelines one should follow to secure the mobile app against data braches and unauthorized access. However, since malicious entities are on the rise and so are the diversity in their methods, one needs to adapt their approach to ensure continued security of the app.

References:

• https://www.owasp.org