Security in Mobile Application | Nitor Infotech
Send me Nitor Infotech's Monthly Blog Newsletter!
×
nitor logo
  • Company
    • About
    • Leadership
    • Partnership
  • Resource Hub
  • Blog
  • Contact
nitor logo
Add more content here...
Artificial intelligence Big Data Blockchain and IoT
Business Intelligence Careers Cloud and DevOps
Digital Transformation Healthcare IT Manufacturing
Mobility Product Modernization Software Engineering
Thought Leadership
Aastha Sinha Abhijeet Shah Abhishek Suranglikar
Abhishek Tanwade Abhishek Tiwari Ajinkya Pathak
Amit Pawade Amol Jadhav Ankita Kulkarni
Antara Datta Anup Manekar Ashish Baldota
Chandra Gosetty Chandrakiran Parkar Deep Shikha Bhat
Dr. Girish Shinde Gaurav Mishra Gaurav Rathod
Gautam Patil Harish Singh Chauhan Harshali Chandgadkar
Kapil Joshi Madhavi Pawar Marappa Reddy
Milan Pansuriya Minal Doiphode Mohit Agarwal
Mohit Borse Nalini Vijayraghavan Neha Garg
Nikhil Kulkarni Omkar Ingawale Omkar Kulkarni
Pooja Dhule Pranit Gangurde Prashant Kamble
Prashant Kankokar Priya Patole Rahul Ganorkar
Ramireddy Manohar Ravi Agrawal Robin Pandita
Rohan Chavan Rohini Wwagh Sachin Saini
Sadhana Sharma Sambid Pradhan Sandeep Mali
Sanjeev Fadnavis Saurabh Pimpalkar Sayanti Shrivastava
Shardul Gurjar Shravani Dhavale Shreyash Bhoyar
Shubham Kamble Shubham Muneshwar Shubham Navale
Shweta Chinchore Sidhant Naveria Souvik Adhikary
Sreenivasulu Reddy Sujay Hamane Tejbahadur Singh
Tushar Sangore Vasishtha Ingale Veena Metri
Vidisha Chirmulay Yogesh Kulkarni
Mobility | 30 Dec 2014 |   17 min

Security in Mobile Application

featured image

Mobile Application Security – An Introduction

Mobile phones are becoming an integral part of day-to-day activity. The corporate world is moving towards mobiles to facilitate the continuous availability of data onto mobile devices. Therefore, mobile application security is becoming a core part of protecting users’ and enterprises’ private data from various security threats. In this article, we will have a look at how we can achieve security in cross platform mobile applications.

Our Approach

  1. In-app Security: Many times, it is required for mobile applications to have data stored onto devices in a local database or any local file. These local files and databases can be easily retrieved from the device by rooting or jail-breaking the devices, which in turn results in leakage of data into a hacker’s hand. This can cause misuse of personal as well as enterprise data. Therefore, securing local data becomes a major action in mobile application development. The actions that can be taken are described below:
    1. Use of SQLCipher: SQLCipher is an alternative to SQLite. It has the same functional support to mobile application for storing data onto a local database, but with encryption of data. It uses the SHA 256 algorithm to encrypt and decrypt the data to be stored into local database. This can protect local data as it is encrypted, which enables data security.
    2. Local database encryption: Other ways to encrypt and decrypt the data with strong encryption techniques are defined below:
      • Using Encryption Algorithms: One of the basic techniques to hide data is by encrypting the data with secure algorithms such as SHA-256, AES with a private key to encrypt data when it is stored on a local database and to decrypt it whenever it is used.
      • Password-based encryption: One of the disadvantages of the encryption algorithm with a local key is the chance of breaking the key by hackers either from code, when key is available is code. In the password-based approach, the user has to enter a password each time he opens the application or accesses sensitive data. This password is set to database as database password or it is used as a key to encrypt/decrypt data with a secure algorithm. This approach will have extensive data security. It will vary from user to user and won’t have an encryption key stored locally.
      • Registration ID/Device ID-based security: This approach can be used when the application has to enable push notifications. It includes encrypting/decrypting data with a registration/device ID as the key. The device registration is a unique combination which results in a non-breakable key for hackers.
      • Storing data as Objects: This approach can be used with databases such as Mongo DB, ORM, etc. This approach involves storing data in a database as runtime objects instead of storing it as a normal programing entity such as a string, integers. This approach with encryption technique enables the data not to be decrypted by hackers. This type of approach can be very useful in cross platform applications where objects are runtime identified.
      • Security of local files: Many times, it is required for an application to download, create, capture documents, images, videos which have sensitive data. An application should have the capability to delete these local data files as long as they is not needed or it should be protected by encrypting them. One more approach that can be enabled when downloading a file from the server is not to have the extension to the locally stored file. This will make app data files inaccessible to other apps.
    3. Data Transmission Security: Data transmission security is important when an application sends data to a remote server. The data that is being transmitted to the server can be easily hacked. So, the data that is being transmitted should be protected. The techniques below can be used for protecting data that is transmitted over the air.
      1. Authentication: Authentication provides a way to send authorized data by an authorized user with an authorized device only. In this approach, the mobile application uses the server’s login service with user and device details. On authentication, the authenticate server sends an authentication token to the device which in turn is sent to the server with all the requests that are made to server. The server verifies this token and validates the request.
      2. Data Encryption: In data encryption, all data that is sent to the server or received from the server should be in an encrypted format. Encryption of data should be implemented using security algorithms. One of the ways to secure data is by using a Triple Encryption Algorithm for data transmission. In this approach, we use private and public key into app. When the server sends data to a mobile device, it encrypts data to be sent to the device with the current timestamp in the system. It then again encrypts data with a timestamp. Next, the server adds a timestamp to the response and encrypts it with a private key and sends the response to a mobile device. At the mobile side, the reverse process is done. Data is decrypted with a public key, timestamp is retrieved and decrypted again with a timestamp ensuring triple encryption.
      3. SSL key based encryption: In SSL key based encryption, all data sent to the server is encrypted with a public key and on the server side, that data is decrypted using the private key. Vice versa for receiving data from server.
    4. Location and Timestamp Based Security: Location based security is implemented in an application to enable/ disable features of the app depending on the current location of the mobile device. This type of security is useful in health care apps and enterprise apps in which device features such as the camera needs to enabled and disabled in company premises. Timestamp-based security can be applied by setting a time to perform certain actions on mobile, such as enabling a time for online exam from mobile devices. This type of security is implemented on devices by setting a time for a task on the server, sending this time to the mobile and on start of that task, verifying the current time with the timestamp sent by the server. Location-based security is implemented with GeoFencing techniques where we set the geolocation boundaries and perform the required enabling/disabling of features depending on current location of device.
    5. Biometric Authentication: Biometric authentication includes authentication using face recognition and voice reorganization to ensure that the same user is accessing the current application session. It can avoid vulnerable uses of application. This is implemented by storing the user’s biometric information on the device in local databases or local files and then verifying that the user entered biometric information when the application starts, such as voice enabled password, iris scan, etc.
    6. Role Based Access: Role based access means to allow user to get limited features of an application. For example, Admin can get the entire module access, but the end user can get specific feature access. Using this approach, we can restrict the user from higher-level features.
    7. Login Based Security: On login-based security, a different way could be implemented.
      1. Only one device-based session of login is allowed at a time. For example, the user cannot login on two devices at a time. User login is configured for specific type of devices (iPhone, Samsung).
      2. Passcode or Pattern-based authentication is enabled for single sign on option. For example, for the first time, the user can login using their credentials and after that, they should ask for a passcode or pattern authentication.
    8. Remote Actions on Data: Mobile devices are easily lost or stolen, and many users change their devices. In such situations in which users have their private or enterprise data on mobile devices, there is a strong chance of data to go in the wrong hand. In such cases, we can take below actions on an app and its data remotely:
      1. Remote data backup: In this approach, we implement an application to send data to the user periodically, which makes the server to have a replica of data. This replication of data from device to server becomes useful when the user changes the device and installs the app on other device.
      2. Remote Data Wipe:Many times when user’s device is loststolen or for enterprises when user leaves the organization, it becomes necessary to retrieve the access from the user and remove all the data from user’s device. For this, we use remote data wiping. This approach is implemented by sending a silent notification on the device indicating the data wipe actions, which in turn makes the application delete data on device.
    9. Code Security: Many times user’s devices are rooted or jail-break. These types of devices can easily leak IPA and APK files for apps. From these IPA and APK files, one can decompile the code and steal the code logic as well as get important data from the application code. This can be harmful in the case of cross platform apps, where the application code is stored in local folders like assets or www. Once the APK or IPA code is cracked, the complete code of the cross platform application is available to the user which can be very easily replicated as another application. To avoid this, we should have below code security:
      1. Encrypting local files: In this approach, we encrypt local files with the secret key for apps. This includes encryption of files in assets/ www folder, which in turn secures cross platform code. This code is then decrypted when the app is installed on the device and then loaded as an app on the device.
      2. Code Encryption: In this approach, we secure application’s code by using tools such as ProGaurd and DexGaurd for android, which compresses code and applies encrypting algorithms to it. In case APK is leaked, the code won’t be understood by hacker.

Related Topics

Artificial intelligence

Big Data

Blockchain and IoT

Business Intelligence

Careers

Cloud and DevOps

Digital Transformation

Healthcare IT

Manufacturing

Mobility

Product Modernization

Software Engineering

Thought Leadership

<< Previous Blog fav Next Blog >>
author image

Ravi Agrawal

Manager - Healthcare Practice

A self-confessed healthcare warrior, an expert in Medicare, Medicaid, ACO, and Integration projects, Ravi speaks HL7 as a language. A doctor, doubling up as a Healthcare consultant, he is always a ‘patient’ person (pun intended) with a business mind. He says that technology never ceases to amaze him, and he is a student forever.

   

You may also like

featured image

10 Heuristic Principles in UX Engineering

Say, you’ve built a modern, cutting-edge application. It has a complex, multi-layered user interface (UI), that is the basis for some amazing features. Since you’re the one who has built the applic...
Read Blog


featured image

ETL Testing: A Detailed Guide

Just in case the term is new to you, ETL is defined from data warehousing and stands for Extract-Transform-Load. It covers the process of how the data is loaded from the multiple source system to t...
Read Blog


featured image

Getting Started with ArcGIS Online

GeoServer is an open-source server that facilitates the sharing, processing and editing of geospatial data. When we are dealing with a large set of geospatial d...
Read Blog


subscribe

Subscribe to our fortnightly newsletter!

We'll keep you in the loop with everything that's trending in the tech world.

Services

    Modern Software Engineering


  • Idea to MVP
  • Quality Engineering
  • Product Engineering
  • Product Modernization
  • Reliability Engineering
  • Product Maintenance

    Enterprise Solution Engineering


  • Idea to MVP
  • Strategy & Consulting
  • Enterprise Architecture & Digital Platforms
  • Solution Engineering
  • Enterprise Cognition Engineering

    Digital Experience Engineering


  • UX Engineering
  • Content Engineering
  • Peer Product Management
  • RaaS
  • Mobility Engineering

    Technology Engineering


  • Cloud Engineering
  • Cognitive Engineering
  • Blockchain Engineering
  • Data Engineering
  • IoT Engineering

    Industries


  • Healthcare
  • Retail
  • Manufacturing
  • BFSI
  • Supply Chain

    Company


  • About
  • Leadership
  • Partnership
  • Contact Us

    Resource Hub


  • White papers
  • Brochures
  • Case studies
  • Datasheet

    Explore More


  • Blog
  • Career
  • Events
  • Press Releases
  • QnA

About


With more than 16 years of experience in handling multiple technology projects across industries, Nitor Infotech has gained strong expertise in areas of technology consulting, solutioning, and product engineering. With a team of 700+ technology experts, we help leading ISVs and Enterprises with modern-day products and top-notch services through our tech-driven approach. Digitization being our key strategy, we digitally assess their operational capabilities in order to achieve our customer's end- goals.

Get in Touch


  • +1 (224) 265-7110
  • marketing@nitorinfotech.com

We are Social 24/7


© 2023 Nitor Infotech All rights reserved

  • Terms of Usage
  • Privacy Policy
  • Cookie Policy
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. Accept Cookie policy