Mobile Application Security: The Best Practices for App Developers

The success of each app highly depends on its security. Developers are responsible for delivering digital solutions with proper app security in mind.

The article unlocks how to protect data stored within apps, namely by means of https, clearing the cache, code obfuscation, protected local storage, and keeping sensitive data inside the app (i.e. source code).

HTTPS

HTTPS stands for Hypertext Transfer Protocol Secure where “s” ensures a secure version of HTTP. This protocol ensures safe communication over a computer network as well as on the Internet. In HTTPS, the communication protocol is encrypted by Transport Layer Security (TLS) that ensures privacy and data integrity between a server and an application.

HTTP is an unencrypted, invalidated, and unverifiable protocol and attackers can easily spy on users’ communications and modify them.

Encryption protects sensitive data at rest, in transit, or when it is traversing multiple network connections. It uses algorithms that turn plain text into an unreadable, jumbled code. To decrypt this cipher text, an encryption key is required. This key is something that only authorized parties have in their possession.

Encryption can be used to protect:

  • Databases
  • Files on servers
  • Entire communication channels
  • Hard drives
  • Email messages and other potentially sensitive transmissions or storage of data

Threats

Attackers use their technical expertise to infiltrate protected systems. Another kind of attacker is a social engineer. They exploit the weaknesses of human psychology to trick people into offering them access to data.

Phishing is a form of social engineering when an attacker learns a user’s personal information. They pretend to be a reputable entity in email or other communication channel and install malware through a link or attachment.

A man-in-the-middle (MITM) attack intercepts the communications between two parties such as a mobile app and database. This malicious individual can eavesdrop or manipulate those communications on either side of the connection.

Cache

A cache is a hardware or software component that stores data. Requests for that data are retrieved faster since it is saved in the device or application. The data stored in a cache is the result of an earlier computation or the duplicate of data stored elsewhere.

Threats

There should be enough memory for the device to download other things. Cache exists for one purpose to preserve transitory data. It’s recommended to clear cache or just set an app back to default to free more memory. However, if the cache is not cleared, the device will work slowly.

Local Storage

Local storage is a part of a file system where files are stored (e.g. media files, setting files, etc.) For example, Viber and Telegram store photos and files that user’s use. The files are stored until a user deletes those manually using app settings.

Protected local storage

If the storage is not protected, a hacker or some script can infiltrate the memory through addresses or the file manager. Securing stored data means preventing unauthorized entries as well as accidental or intentional destruction, infection or corruption of this data.

Protected local storage means that data is encrypted by means of a key. If this decryption key is incorrect then a malicious user will get a jumbled code that has no meaning.

Code Obfuscation

Code obfuscation is an act of creating source or machine code that is difficult for attackers to understand. A tool called an obfuscator can be used to convert straight-forward source code into a program that works the same way. Developers can also obfuscate code manually. Code obfuscation may include:

  • Encrypting some or the whole code
  • Stripping out potentially revealing metadata
  • Renaming useful class and variable names to meaningless labels
  • Adding unused or meaningless code to an application binary

Threats

Code is obfuscated to protect intellectual property and prevent an attacker from reverse engineering. Developers can protect the source code against:

  • Trade secret theft
  • Unauthorized access
  • Bypassing licensing or other controls
  • Vulnerability discovery

Some examples of obfuscation and application security techniques include the following methods listed below:

  • Rename obfuscation
  • Control flow obfuscation
  • Instruction pattern transformation
  • Dummy code insertion
  • Unused code and metadata removal
  • Binary linking
  • Opaque predicate insertion
  • Anti-Tamper
  • Anti-Debug
  • Reverse engineering code

Sensitive Data Storage

When processing some information such as access to the server, there can be data, requiring certain secret keys. These secret keys are necessary for Google services, navigating Google maps, or using Google search service – all services require a secret key that is generated on their site (service). These keys give access to this service on behalf of the user.

Secret keys are stored on the server side since it is the server that uses them. The keys have a better level of protection on the server side than on the client side. Therefore, the server side requires more security measures.

If an app doesn’t have a server side, then the secret keys need to be saved within the app code. It’s necessary to save keys in the code or adjust the open file settings. Also, keys must be encrypted with a limited access to them.

Ensuring mobile app security

Modern users are highly concerned about the security of apps they use. Developers should build applications that satisfy all user expectations. Software that is outside app owners’ immediate control requires reliability of the source code. All the aforementioned approaches and techniques enable secure application development, making it difficult for attackers to get access to sensitive data.

About the Author

Viacheslav Ponomarov is the Founder and Managing Director of Steelkiwi. Slava comes from a deep technical background and has a deep experience of corporate world. He has completed his Master’s degree in Metallurgical Engineering from Donetsk National Technical University and currently looks after business development activities at Steelkiwi.
steelkiwi.com