Mobile Application Security – An Introduction
Mobile phones are becoming an integral part of day-to-day activity. The corporate world is moving towards mobiles to facilitate the continuous availability of data onto mobile devices. Therefore, mobile application security is becoming a core part of protecting users’ and enterprises’ private data from various security threats. In this article, we will have a look at how we can achieve security in cross platform mobile applications.
- In-app Security: Many times, it is required for mobile applications to have data stored onto devices in a local database or any local file. These local files and databases can be easily retrieved from the device by rooting or jail-breaking the devices, which in turn results in leakage of data into a hacker’s hand. This can cause misuse of personal as well as enterprise data. Therefore, securing local data becomes a major action in mobile application development. The actions that can be taken are described below:
- Use of SQLCipher: SQLCipher is an alternative to SQLite. It has the same functional support to mobile application for storing data onto a local database, but with encryption of data. It uses the SHA 256 algorithm to encrypt and decrypt the data to be stored into local database. This can protect local data as it is encrypted, which enables data security.
- Local database encryption: Other ways to encrypt and decrypt the data with strong encryption techniques are defined below:
- Using Encryption Algorithms: One of the basic techniques to hide data is by encrypting the data with secure algorithms such as SHA-256, AES with a private key to encrypt data when it is stored on a local database and to decrypt it whenever it is used.
- Password-based encryption: One of the disadvantages of the encryption algorithm with a local key is the chance of breaking the key by hackers either from code, when key is available is code. In the password-based approach, the user has to enter a password each time he opens the application or accesses sensitive data. This password is set to database as database password or it is used as a key to encrypt/decrypt data with a secure algorithm. This approach will have extensive data security. It will vary from user to user and won’t have an encryption key stored locally.
- Registration ID/Device ID-based security: This approach can be used when the application has to enable push notifications. It includes encrypting/decrypting data with a registration/device ID as the key. The device registration is a unique combination which results in a non-breakable key for hackers.
- Storing data as Objects: This approach can be used with databases such as Mongo DB, ORM, etc. This approach involves storing data in a database as runtime objects instead of storing it as a normal programing entity such as a string, integers. This approach with encryption technique enables the data not to be decrypted by hackers. This type of approach can be very useful in cross platform applications where objects are runtime identified.
- Security of local files: Many times, it is required for an application to download, create, capture documents, images, videos which have sensitive data. An application should have the capability to delete these local data files as long as they is not needed or it should be protected by encrypting them. One more approach that can be enabled when downloading a file from the server is not to have the extension to the locally stored file. This will make app data files inaccessible to other apps.
- Data Transmission Security: Data transmission security is important when an application sends data to a remote server. The data that is being transmitted to the server can be easily hacked. So, the data that is being transmitted should be protected. The techniques below can be used for protecting data that is transmitted over the air.
- Authentication: Authentication provides a way to send authorized data by an authorized user with an authorized device only. In this approach, the mobile application uses the server’s login service with user and device details. On authentication, the authenticate server sends an authentication token to the device which in turn is sent to the server with all the requests that are made to server. The server verifies this token and validates the request.
- Data Encryption: In data encryption, all data that is sent to the server or received from the server should be in an encrypted format. Encryption of data should be implemented using security algorithms. One of the ways to secure data is by using a Triple Encryption Algorithm for data transmission. In this approach, we use private and public key into app. When the server sends data to a mobile device, it encrypts data to be sent to the device with the current timestamp in the system. It then again encrypts data with a timestamp. Next, the server adds a timestamp to the response and encrypts it with a private key and sends the response to a mobile device. At the mobile side, the reverse process is done. Data is decrypted with a public key, timestamp is retrieved and decrypted again with a timestamp ensuring triple encryption.
- SSL key based encryption: In SSL key based encryption, all data sent to the server is encrypted with a public key and on the server side, that data is decrypted using the private key. Vice versa for receiving data from server.
- Location and Timestamp Based Security: Location based security is implemented in an application to enable/ disable features of the app depending on the current location of the mobile device. This type of security is useful in health care apps and enterprise apps in which device features such as the camera needs to enabled and disabled in company premises. Timestamp-based security can be applied by setting a time to perform certain actions on mobile, such as enabling a time for online exam from mobile devices. This type of security is implemented on devices by setting a time for a task on the server, sending this time to the mobile and on start of that task, verifying the current time with the timestamp sent by the server. Location-based security is implemented with GeoFencing techniques where we set the geolocation boundaries and perform the required enabling/disabling of features depending on current location of device.
- Biometric Authentication: Biometric authentication includes authentication using face recognition and voice reorganization to ensure that the same user is accessing the current application session. It can avoid vulnerable uses of application. This is implemented by storing the user’s biometric information on the device in local databases or local files and then verifying that the user entered biometric information when the application starts, such as voice enabled password, iris scan, etc.
- Role Based Access: Role based access means to allow user to get limited features of an application. For example, Admin can get the entire module access, but the end user can get specific feature access. Using this approach, we can restrict the user from higher-level features.
- Login Based Security: On login-based security, a different way could be implemented.
- Only one device-based session of login is allowed at a time. For example, the user cannot login on two devices at a time. User login is configured for specific type of devices (iPhone, Samsung).
- Passcode or Pattern-based authentication is enabled for single sign on option. For example, for the first time, the user can login using their credentials and after that, they should ask for a passcode or pattern authentication.
- Remote Actions on Data: Mobile devices are easily lost or stolen, and many users change their devices. In such situations in which users have their private or enterprise data on mobile devices, there is a strong chance of data to go in the wrong hand. In such cases, we can take below actions on an app and its data remotely:
- Remote data backup: In this approach, we implement an application to send data to the user periodically, which makes the server to have a replica of data. This replication of data from device to server becomes useful when the user changes the device and installs the app on other device.
- Remote Data Wipe:Many times when user’s device is loststolen or for enterprises when user leaves the organization, it becomes necessary to retrieve the access from the user and remove all the data from user’s device. For this, we use remote data wiping. This approach is implemented by sending a silent notification on the device indicating the data wipe actions, which in turn makes the application delete data on device.
- Code Security: Many times user’s devices are rooted or jail-break. These types of devices can easily leak IPA and APK files for apps. From these IPA and APK files, one can decompile the code and steal the code logic as well as get important data from the application code. This can be harmful in the case of cross platform apps, where the application code is stored in local folders like assets or www. Once the APK or IPA code is cracked, the complete code of the cross platform application is available to the user which can be very easily replicated as another application. To avoid this, we should have below code security:
- Encrypting local files: In this approach, we encrypt local files with the secret key for apps. This includes encryption of files in assets/ www folder, which in turn secures cross platform code. This code is then decrypted when the app is installed on the device and then loaded as an app on the device.
- Code Encryption: In this approach, we secure application’s code by using tools such as ProGaurd and DexGaurd for android, which compresses code and applies encrypting algorithms to it. In case APK is leaked, the code won’t be understood by hacker.