How to Secure Your Mobile Apps

It's no secret that mobile has become an integral part of our everyday lives. As per a survey conducted by Statista, the number of mobile phone users in the world is expected to pass the 5 billion mark by 2019. Mobile phones powered by numerous mobile applications not just help consumer segment but their usage has become common within organizations through bring-your-own-device concept. Despite of concerns of data security, device management and bunch of other potential complications, both consumers and enterprises are embracing mobile applications to get help in their day-to-day activities. In 2017, there were 178.1 billion mobile app downloads from various app stores where as in 2018 this number has already reached 205.4 billion.

With such exponential growth of mobile phones, its becoming imperative for mobile applications developer community to provide secure mobile apps for our users. In this article, we will talk about some of the solutions which can be applied to secure your mobile apps from other malicious apps/users.

Secure Data Storage Options Commonly Available on Mobile Platforms
With the latest series of smartphones’ platforms, OEMs (Original Equipment Manufacturer) have provided secure storage areas to store sensitive data related to your mobile applications. On the two widely used mobile platforms – iOS & Android, we have following available secured storage areas. As an app developer, you should make it a practice to store sensitive data like user credentials, credit card details etc. in these storage locations.
Keychain on iOS Devices
  1. It’s a secure storage area available on all iOS devices.
  2. Data is sand boxed, so data of one app cannot be accessed by any other app 
  3. Data once saved gets preserved across app re-installation.
  4. You can easily store data in keychain by following below given code snippet:

Isolated Storage on Android Devices
  1. Data stored in Isolated Storage is privately stored in the device memory.
  2. Files saved to the internal storage are private to your application.
  3. When the user uninstalls the application, the associated files are removed.
  4. You can easily store data in isolated storage by following below given code snippet:

Myths About Data Security on Mobile Platforms
As a mobile app user or a developer, its generally believed that mobile platforms provided security features are good enough to secure your data. Some of the popular options available on smartphones for data security are setting up device passcode, relying on hardware encryption, enforcing access rights based on file access or simply “just” delete the data.

A simple internet surfing will make you to realize that none of the above listed options are secure enough. There are more than 1 ways to by-pass device passcode in few seconds. There are numerous videos available on the internet which will show you step by step guide to by-pass device passcode in no time. Even you will find tools like GreyKey, Elcomsoft and others available in the market which allows you to not just take dump of unencrypted contents of the keychain but also break in to data protected by hardware encryption.  Android world is also not fool proof when it comes to data security. As a mobile app developer, we can apply restrictions to data files access based on files modes like MODE_PRIVATE etc. However, once someone jail break your device, they can get access to your physical file and clone your data. Lastly, if you think you have manually deleted your data and no one can get hold of your sensitive data, you are mistaken. People who are already familiar with OS X raw disks knows how to access deleted information, like email, images, voicemail and application data. The raw disk gives [hackers] access to the iPhone's entire file system. Unless you use Apple’s disk utility service to wipe an entire device clean, your data is always there to get extracted and exploited 
In a nutshell, just relying on platform security features doesn’t completely secure your data. 
How to Really Safeguard your Mobile App Data
A typical mobile application includes two aspects when it comes to data – data at rest & data in transit. Describing below few of the options which can be applied to secure data in both such stages.  

Secure Data at Rest:
Data in rest or in other words data stored in mobile storage, following two approaches should be applied to ensure data security: 
  1. Encipher the data with Stronger Encryption
While storing data onto device storage area, you should always encrypt your data using strong encryption algorithm like AES with strong encryption key of at least 256 bits key size. Additionally, the encryption key should be a derived key rather than a static key. 
 
On iOS platform, you can use CCCrypt API of Security package to encrypt your data:
 

 

On Android platform, you can use Bouncy Castle Crypto APIs to encipher your data:

 

 

 

2.Tie Data to the Device:

Its always advisable to tie the encrypted data to the device so that even if someone takes an extract of your data, they will not be able to decrypt it on their device. This can be achieved by using a device identified as one of the part while deriving the encryption key.
 
On iOS Platform, you can use either the UDID or MAC as unique device identifier. On Android platform, you can use IMEI for GSM and the MEID or ESN for CDMA phones or ANDROID_ID
 
Secure Data in Transit:
Unlike data in rest, there are more options available to secure data in transit. The well known way is      to transfer data on HTTPS channel. Along with it, you can take additional measures to further solidify security of data on wire.
  • Identify list of supported cipher suites and enable only strong ciphers. Example – TLS_RSA_WITH_AES_256_CBC_SHA. On iOS platform, you can achieve it by making use of classes available under CFNetwork Framework whereas in Android, you can use of SSLEngine.h [getSupportedCipherSuites(), setEnabledCipherSuites()]
  • Use MAC (Message Authentication Code) to identify that the request is coming from a legitimate client.
 
Challenges to Data Security on Smartphones
All the above illustrated mechanisms to safeguard your mobile data will crumble down by mere one act which is jailbreaking or rooting the mobile device. Though this threat will be real only if the hacker gets physical access to your device. But for mobile apps which stores secret sauce / seed data in the mobile local store, this threat is alarming as hackers can clone their secret and distribute/use their solution for fraudulent transactions. 

However, there are simple but effective ways to detect whether the device is jailbroken or rooted and take corrective measures like disabling your app or programmatically deleting the secret data etc. once identified 
Detect rooting/jailbreaking on Android Platform:
  1. Check if android.os.Build.TAGS contains “test-keys”.
  2. Check if ‘/system/app/Superuser.apk’ exists.
  3. Check if ‘su’ binary exists, run "which su" from Runtime.getRuntime().exec().
  4. Try writing a file to /data.
Detect rooting/jailbreaking on iOS Platform:

1.Sandbox Integrity Check:

1.Initiate a fork function call from your application.  

2.On jailbroken devices, the fork function will succeed.

2.Existence of any third-party application files on the device:

 

3.Validate kernel's signature check of signed code.

4.try accessing /Application/Preferences.app/General.plist You should be able to do so on a jailbroken iOS devices.

 

 
Let’s Conclude
Its strongly recommended that do not completely rely on security features provided by the platform. Make it a practice to enforce another layer of security to strongly protect your data.
  1. Encipher your data with stronger encryption.
  2. Tie data to the device.
  3. Eliminate weak SSL cipher suites for your platform.
  4. Ascertain authorization of each incoming request.
  5. Detect rooting/jailbreaking and take appropriate action.
At Equinix, we strongly follow the above discussed secure practices as part of our mobile app offerings like ECP Mobile App. This app enables Equinix customers to place orders for basic Equinix products and is available on both iOS & Android platforms. To know more about this app, search for ‘Equinix Customer Portal’ on Apple Store or Google Play. 
References
  1. https://gcn.com/Blogs/CyberEye/2015/11/Mobile-security-gains-respect.aspx
  2. https://www.statista.com/statistics/274774/forecast-of-mobile-phone-users-worldwide/
  3. https://www.statista.com/statistics/271644/worldwide-free-and-paid-mobile-app-store-downloads/
  4. https://www.imyfone.com/iphone-tips/bypass-iphone-passcode-without-restoring/
  5. https://blog.malwarebytes.com/security-world/2018/03/graykey-iphone-unlocker-poses-serious-security-concerns/
  6. https://www.elcomsoft.com/eppb.html
  7. https://icons8.com/icon/38599/cydia
  8. http://dedelupa.blogspot.com/2012/03/cara-hapus-super-user-dan-unroot.html
Blog Author: 
Mohit Mathur

Twitter Feed

About Equinix

Equinix connects the world's leading businesses to their customers, employees and partners inside the world's most connected data centers in 44 markets across five continents. In the United States, Equinix operates data centers in Atlanta, Boston, Chicago, Dallas, Denver, Los Angeles, Miami, New York, Philadelphia, Seattle, Silicon Valley and Washington D.C.

Developer Platform - Key Highlights

  • Explore, Subscribe & Connect to Equinix API Ecosystem​
  • Test Drive Equinix APIs using our Playground
  • Start your journey with Getting Started Guide

Recent News

  • Developer Forum is now Live
  • You can download the API catalog now in PDF or JSON or HTML or YAML
  • New Developer Experience Launched! Let us know your feedback.
  • ECX Fabric v3 API is recommended for integration.
  • Equinix Customer Portal APIs (Beta) is now available on Playground.
  • IBX SmartView Streaming API is now available on Developer Platform