Building Trust in Your Mobile App

Some Security Tips

Mobile@Exxeta

·

Follow

3 min read

·

Jan 8, 2024

--

3

Listen

Share

Considering security in app development is very important. Every developer should prioritize security to establish confidence among users. This story aims to show you several measures that mobile developers can focus on to improve the security of their apps. Security should be integrated from the beginning of development. At every stage, developers should ask: What are the potential attack vectors? and, of course, find corresponding measures to address those vulnerabilities.

1. Communication Between App and Backend: TLS and Certificate Pinning
   One of the primary attack surfaces is the communication between the app and the backend. Utilizing Transport Layer Security (TLS) ensures encrypted communication, protecting against Man-in-the-Middle attacks. Additionally, implementing Certificate Pinning ensures that the app communicates only with pre-authorized server certificates. Here you can decide on Public Key Pinning or Certificate Pinning. If you do so, just think about the update process of the certificates and how you handle the update in the app.
2. Data Storage: Encryption and Avoiding User Defaults
   Storing user data on the phone is also an attack vector. Always use an encryption algorithm for storing sensitive data, which provides effective protection. On iOS, it is, for example, advisable to refrain from using User Defaults and instead opt for secure local data stores or Keychain to store sensitive information.
3. Reverse Engineering: Obfuscation
   To deter reverse engineering, applying code obfuscation is an effective measure. This process transforms the source code, for example, by shortening class names, making it difficult for potential attackers to understand and thus making it harder to identify security vulnerabilities in the application. There are a lot of third-party tools or libraries designed for this purpose — just search for it.
4. Keyboards: Restricting to Standard Keyboards
   Limiting the use to standard keyboards minimizes the risk of keyboard-targeted attacks. Sticking to trusted standard input methods can prevent potential security loopholes in third-party keyboards.
5. Disable Cache in Keyboards
   Disabling the keyboard’s cache can be a sensible security measure. This prevents sensitive data, like passwords or personal information, from being stored in caches, reducing the risk of privacy breaches.
6. PlayStore App Integrity
   If you release your Android App to the Play Store, ensure the integrity of your app. Implementing app signing through Google Play’s signing service ensures the app’s integrity, and regularly monitoring for unauthorized changes or tampering in the Play Store contributes to a more secure distribution channel.
7. Jailbreak & Root Detection
   Implement Jailbreak and Root detection checks in your app. If a device is jailbroken or rooted, standard security measures can be bypassed. Therefore, devices that show signs of a jailbreak or root should be excluded from using your app.
8. Prevent screenshots, screen sharing and screen recording
   Protecting user privacy involves preventing the unauthorized capture of sensitive information. Implement mechanisms to prevent screenshots, screen sharing, and screen recording within the app to mitigate the risk of unauthorized access to sensitive data.
9. Smartphone Security Level and Unlocking Code Requirement
   Consider the security level of the smartphone itself. Leverage device security features such as biometrics (fingerprint, face recognition) and device passcodes. Implementing a requirement for the user to unlock their smartphone with a code before accessing the app adds an extra layer of security, ensuring that only authorized users can use the application.

Of course, there are a lot of other security factors to take into account, and it’s always helpful to keep the purpose of your app in mind when choosing these for it. Continuously reviewing and adapting existing security protocols in response to new threats is just as important as their initial implementation. Providing security measures in your app is crucial for building user trust. By integrating security into the agile development cycle, every development team can contribute to creating apps that are not only functional but also secure and trustworthy. We think the OWASP Mobile Top 10 is a good starting point for looking further into this subject. Which actions do you take?

(by Sabrina Geiger)