It's no secret that mobile has become an integral part of our everyday lives. As per a survey conducted by Statista, the number of mobile phone users in the world is expected to pass the 5 billion mark by 2019. Mobile phones powered by numerous mobile applications not just help consumer segment but their usage has become common within organizations through bring-your-own-device concept. Despite of concerns of data security, device management and bunch of other potential complications, both consumers and enterprises are embracing mobile applications to get help in their day-to-day activities. In 2017, there were 178.1 billion mobile app downloads from various app stores where as in 2018 this number has already reached 205.4 billion.
With such exponential growth of mobile phones, its becoming imperative for mobile applications developer community to provide secure mobile apps for our users. In this article, we will talk about some of the solutions which can be applied to secure your mobile apps from other malicious apps/users.
- It’s a secure storage area available on all iOS devices.
- Data is sand boxed, so data of one app cannot be accessed by any other app
- Data once saved gets preserved across app re-installation.
- You can easily store data in keychain by following below given code snippet:
- Data stored in Isolated Storage is privately stored in the device memory.
- Files saved to the internal storage are private to your application.
- When the user uninstalls the application, the associated files are removed.
- You can easily store data in isolated storage by following below given code snippet:
Myths About Data Security on Mobile Platforms
As a mobile app user or a developer, its generally believed that mobile platforms provided security features are good enough to secure your data. Some of the popular options available on smartphones for data security are setting up device passcode, relying on hardware encryption, enforcing access rights based on file access or simply “just” delete the data.
A simple internet surfing will make you to realize that none of the above listed options are secure enough. There are more than 1 ways to by-pass device passcode in few seconds. There are numerous videos available on the internet which will show you step by step guide to by-pass device passcode in no time. Even you will find tools like GreyKey, Elcomsoft and others available in the market which allows you to not just take dump of unencrypted contents of the keychain but also break in to data protected by hardware encryption. Android world is also not fool proof when it comes to data security. As a mobile app developer, we can apply restrictions to data files access based on files modes like MODE_PRIVATE etc. However, once someone jail break your device, they can get access to your physical file and clone your data. Lastly, if you think you have manually deleted your data and no one can get hold of your sensitive data, you are mistaken. People who are already familiar with OS X raw disks knows how to access deleted information, like email, images, voicemail and application data. The raw disk gives [hackers] access to the iPhone's entire file system. Unless you use Apple’s disk utility service to wipe an entire device clean, your data is always there to get extracted and exploited
In a nutshell, just relying on platform security features doesn’t completely secure your data.
How to Really Safeguard your Mobile App Data
A typical mobile application includes two aspects when it comes to data – data at rest & data in transit. Describing below few of the options which can be applied to secure data in both such stages.
- Encipher the data with Stronger Encryption
2.Tie Data to the Device:
- Identify list of supported cipher suites and enable only strong ciphers. Example – TLS_RSA_WITH_AES_256_CBC_SHA. On iOS platform, you can achieve it by making use of classes available under CFNetwork Framework whereas in Android, you can use of SSLEngine.h [getSupportedCipherSuites(), setEnabledCipherSuites()]
- Use MAC (Message Authentication Code) to identify that the request is coming from a legitimate client.
- Check if android.os.Build.TAGS contains “test-keys”.
- Check if ‘/system/app/Superuser.apk’ exists.
- Check if ‘su’ binary exists, run "which su" from Runtime.getRuntime().exec().
- Try writing a file to /data.
1.Sandbox Integrity Check:
1.Initiate a fork function call from your application.
2.On jailbroken devices, the fork function will succeed.
2.Existence of any third-party application files on the device:
3.Validate kernel's signature check of signed code.
4.try accessing /Application/Preferences.app/General.plist You should be able to do so on a jailbroken iOS devices.
- Encipher your data with stronger encryption.
- Tie data to the device.
- Eliminate weak SSL cipher suites for your platform.
- Ascertain authorization of each incoming request.
- Detect rooting/jailbreaking and take appropriate action.