Mobile apps are now essential for communication, entertainment, shopping, banking and other aspects of our daily lives. As security threats increase, it's crucial to ensure that mobile apps are secure. Insecure mobile apps can lead to data breaches, sensitive information theft, and financial losses. Adopting best security practices is essential to safeguard your mobile apps, APIs, and users' data and privacy.
This blog post outlines the best practices for mobile app security that every mobile app developer should consider while developing mobile apps and where Approov can be used to enhance the security of a mobile app and their APIs. We'll cover topics like secure code development, authentication and authorization, network security, secure data storage, and regular security testing.
By following these best security practices, developers can ensure that their mobile apps are secure, reliable, trustworthy and not easily reverse engineered and MitM attacked to steal secrets, sensitive data and to enumerate all the API endpoints it talks with to then attack the API from outside the mobile app.
Secure code development is a critical aspect of mobile app security. It involves developing code that is free from vulnerabilities and follows industry-standard security guidelines. By using secure coding practices, developers can prevent a wide range of security issues, such as injection attacks, cross-site scripting (XSS) attacks, and buffer overflow attacks. Here are some best practices for secure code development:
Using secure coding standards, such as the OWASP Mobile Top 10 and OWASP Mobile Application Security Verification Standards (MASVS), can help developers build secure mobile apps. These standards provide guidelines and best practices for identifying and addressing common security issues in mobile apps. By adhering to these standards, developers can minimize the risk of introducing security vulnerabilities into their code.
Performing regular code reviews is an essential aspect of secure code development. Code reviews help identify potential security issues and enable mobile developers to address them before releasing the mobile app. It's crucial to have a peer review process in place to ensure that all code is reviewed thoroughly and to have at least one security minded person reviewing it, one that is able to look at code like an attacker would, because mobile developers usually lack this skill.
Proper error handling is a crucial aspect of secure code development. Mobile developers must handle errors in a way that doesn't compromise the app's security. For example, error messages should be generic and not reveal sensitive information, neither the cause of the error, unless the error is something a legit user can act on or should be informed of. Also, error messages should be logged in a secure manner, without sensitive data and never displayed to end-users.
Storing data securely is critical in mobile app security. Developers must ensure that sensitive data is encrypted and stored in a secure location. Storing data in plain text or in an insecure location can lead to data breaches and other security issues. Mobile app developers can use secure data storage solutions such as the Android Keystore and iOS Keychain to store sensitive data securely. More details on this in the next section.
By following these secure code development best practices, developers can ensure that their mobile apps are free from vulnerabilities and protect users data and privacy.
Secure data storage is critical in mobile app security. Mobile apps often store sensitive data, such as user credentials and payment information, locally on the device. Here are some best practices for secure data storage:
Using encryption is essential in mobile app security. Developers should ensure that sensitive data stored locally on the device is encrypted using a secure algorithm. Encryption makes it more difficult for attackers to access and read sensitive information if they gain access to the device.
Using secure storage APIs is crucial in mobile app security. Secure storage APIs, such as Keychain on iOS and Android Keystore on Android, provide a secure location to store sensitive data on the device. These APIs use hardware-level encryption and provide additional protection against attacks that attempt to access stored data.
To enhance the security of sensitive data stored in mobile apps, developers can use App Instance Secure Strings from Approov. This technique involves storing the data in an encrypted form, which can help to protect it from analysis tools that might attempt to extract sensitive information while at rest or while used by the mobile app at runtime.
With App Instance Secure Strings, the decryption key is only provided to the app from the Approov cloud service if the remote mobile app attestation is passed. This ensures that the key is only given to genuine and valid instances of the mobile app, and not to attackers or malicious apps.
It's worth noting that the string values are never transmitted to or stored by the Approov cloud service itself. Instead, the service only manages the encryption key and not the data.
Implementing data retention policies is important in mobile app security. Developers should ensure that sensitive data is retained only for as long as necessary and is securely deleted when it is no longer needed. This reduces the risk of data breaches in case the device is lost or stolen.
Avoiding storing sensitive data locally is an effective way to enhance mobile app security. If sensitive data does not need to be stored locally, developers should avoid doing so. Instead, they can use secure APIs to retrieve the data from a secure server when needed, reducing the risk of data breaches if the device is lost or stolen.
By following these secure data storage best practices, developers can ensure that sensitive data stored locally on the device is protected and reduce the risk of data breaches in case the device is lost or stolen.
Authentication and authorization are essential aspects of mobile app security. Authentication is the process of verifying the identity of a user, while authorization is the process of granting or denying access to specific resources or functionalities based on the user's identity.
Developers should prefer to use OAuth2 or similar authorization frameworks for user authentication to not have to deal with the burden of keeping the user credentials secure and not have them leaked in a data breach.
When a mobile app is used in conjunction with a backend and/or third-party service, it is important for these services to implement best security practices for authentication and authorization. This should be verified by the mobile developers with each release of the app.
However, if the mobile app is a standalone application, the responsibility for following and applying best practices for security lies solely with the mobile developer. It is important to take a proactive approach to security and regularly assess and address any potential vulnerabilities.
Here are some best practices for authentication and authorization:
Token-based authentication is a widely used mechanism for user authentication in mobile apps. Developers should use token-based authentication mechanisms, such as OAuth2 or JSON Web Tokens (JWT). OAuth2 is an authorization framework that enables users to grant access to third-party applications without sharing their credentials. This is a preferable approach to email/password combo authentication where you need to keep the credential safe at rest to avoid them being possible to be reused and reverse engineered in a data breach.
Using multi-factor authentication (2FA) is an effective way to enhance mobile app security. Multi-factor authentication requires users to provide two or more forms of identification, and weak mechanisms of 2FA should be avoided, such as text messages (sms), and this needs to be enforced at the API level. At the mobile app level the developer may require the use of fingerprint or pin to allow access to the mobile app's most sensitive areas. This extra layer of security makes it more difficult for attackers to gain access to the mobile app with runtime attacks by using instrumentation frameworks, such as Frida.
Limiting access to sensitive data is critical in mobile app security. Developers should ensure that users only have access to the data and functionalities that they need to perform their tasks. Access controls should be implemented to restrict access to sensitive data and functionalities based on user roles and permissions at the API level, not at the mobile app level, otherwise an attacker just needs to launch MitM attack to see which data the API is sending and not being displayed by the mobile app. Don’t be that developer that uses API endpoints that return more sensitive data then what is needed. Also, when performing high sensitive operations partial or complete authentication should be required again, password and/or 2FA, even if the current session is still valid, and this must be also implement ideally at the API level, otherwise the MitM attack can be used to issue/transform/replay API requests in order to bypass access limits at the mobile application level.
To ensure your API backend doesn’t leak sensitive data you need to lock it down to genuine instances of your mobile apps. To achieve this it is recommended that you implement a solution that can provide end-to-end security for both your mobile app and API servers. This will help prevent attackers from accessing and fulfilling API requests. One way to achieve this is by using remote mobile app attestation in combination with dynamic certificate pinning. By doing so, the API server can confirm the authenticity of the API request and serve it without the risk of exposing sensitive data to attackers. For more information on how to implement this approach, you can refer to the article How to Protect Against Certificate Pinning Bypassing.
By following these authentication and authorization best practices, mobile developers can ensure that only authorized users can access their data from genuine instances of their mobile apps, thus protecting users data and privacy.
Network security is crucial in mobile app security. Mobile apps communicate with servers over the internet, making them vulnerable to network-based attacks. Here are some best practices for network security:
Using secure communication protocols, such as HTTPS, is critical in mobile app security. HTTPS encrypts data transmitted between the app and the server, making it more difficult for attackers to intercept and read sensitive information, therefore you shouldn’t opt-in for insecure traffic.
Validating server certificates is essential in mobile app security. Developers should ensure that the server's certificate is valid and issued by a trusted certificate authority (CA). Failing to validate server certificates can lead to man-in-the-middle (MITM) attacks, where attackers intercept and modify data transmitted between the app and the server. This is nowadays done for you by the Operating System, unless you opt-in to not check for them, which you shouldn’t ever do.
Certificate pinning is a powerful technique that can enhance network security. By implementing certificate pinning, developers can specify a set of trusted certificates that the mobile app should accept, instead of relying solely on the operating system's list of trusted certificate authorities (CAs). This can make it more difficult for attackers to impersonate the server and intercept data transmitted between the app and server.
In addition to specifying a set of trusted certificates, developers can also use public key pinning. This involves verifying that the server's public key matches the pinned public key before establishing a connection. By doing so, the app can ensure that it is connecting to the intended server and prevent man-in-the-middle attacks.
Overall, implementing certificate and public key pinning is a valuable security measure that can help to protect sensitive data transmitted between the mobile app and API server, but mobile app developers should be aware that it's possible to bypass certificate pinning. A solution exists and requires that you use dynamic certificate pinning.
Token-based authentication is a common approach used in mobile app security to secure requests between a mobile app and an API backend where the API needs to authenticate who is in the request, the user, and what is doing the request, the mobile app.
This approach involves the use of tokens, which are small pieces of data that are exchanged between the mobile app and server to identify who and what in an API request. On its simplest form a token can be an high entropy string, such as gLZmIdgkjgtLWUcqcPeQoGVZQCZtjpALpAHlswpdcBqVVJeOIeEKUPLuThRl that is commonly named as an api-key, api-token, etc.. The high entropy string doesn’t carry any kind of data representation on it, and just acts as a secret identifier for what is doing the request to the API server, the mobile app.
A more useful type of token is a JWT, that is composed of three parts, header.payload.signature, such as:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiZW1haWwiOiJpbmZvQGFwcHJvb3YuaW8iLCJ1cmwiOiJodHRwczovL2FwcHJvb3YuaW8iLCJpYXQiOjE1MTYyMzkwMjJ9.YjnPmvjpvUhKPJOtwVoOVFwBZLG90CijGstOMCiKPss
The JWT allows the developer to embed some data on the payload segment of the token, that is cryptographically signed with a secure algorithm, with the option of encrypting the payload. JWTs were made popular by OAUTH2 providers that return them as a result of authenticating a user, that is then used in all API requests where who is in the request needs to be authenticated and authorized by the API backend. A JWT can be as useful for authenticating what is making the request to the API server, with the added benefit that it can include additional data for the API backend to use without the need to query a database to infer it.
Using token-based authentication has several advantages, including:
However, token-based authentication is not without its challenges. For example, tokens can be stolen if they are not properly protected or if the mobile app is compromised. Additionally, token revocation can be challenging, particularly if tokens have a long expiration time.
To address these challenges, developers should follow best practices for token-based authentication, such as using secure encryption and signing algorithms, regularly rotating tokens, and implementing proper token revocation mechanisms. Developers should also use other security measures, such as SSL/TLS encryption and two-factor authentication, to further enhance the security of mobile app authentication and authorization.
Let’s see how we can use Approov to enhance the security of using tokens to identify who is in the request and what is doing the request.
When a user logs in to a mobile app, the server generates a token and sends it back to the mobile app. The mobile app then stores the token locally and sends it back to the API server with each subsequent request. The server checks the token to ensure that the request is coming from an authenticated user and that the user has permission to access the requested resource.
To securely store the token locally in the mobile Approov provides App Instance Secure Strings. This technique involves encrypting the tokens and storing them within the app. However, the encryption/decryption key is only provided just-in-time of being used, and only for valid and genuine instances of the mobile application that aren't under attack or running in a risky device.
By adding Approov to your mobile app you also benefit from dynamic certificate pinning out of the box, thus protecting your tokens from being stolen with a MitM attack.
Traditionally developers resort to hardcode their API keys in the mobile app code, thus exposing them to be stolen via reverse engineering or MitM attacks. Another approach that some developers use is to retrieve them at runtime on the first-time the mobile app is launched, but this requires trust-on-first-use (TOFU), which is easily defeated by an attacker on a device he controls.
To address hard-coded secrets and secrets retrieved via TOFU Approov provides a feature named Runtime Secrets where secrets are kept securely stored in the Approov cloud service and provide to the mobile app just-in-time of being used for the API request, but only to mobile apps that pass the Approov remote mobile app attestation.
If you're interested in learning more about this approach, we recommend reading the article Hands-on Mobile App and API Security - Runtime Secrets Protection. This article provides more details on how to implement Runtime Secrets in your mobile app and enhance its security.
By using Runtime Secrets, developers can help to prevent attackers from stealing or manipulating tokens, even if the mobile device is compromised. This approach can enhance the security of mobile apps that handle sensitive user information, such as financial, medical data and other PII data.
Regular security testing is critical in mobile app security. It helps identify vulnerabilities and weaknesses in the app's security measures and allows developers to address them before they can be exploited by attackers. Here are some best practices for regular security testing:
Conducting penetration testing is an effective way to enhance mobile app security. Penetration testing involves simulating an attack on the app to identify vulnerabilities and weaknesses in its security measures. Developers can use tools, such as Burp Suite and OWASP ZAP, to conduct penetration testing and identify vulnerabilities that can be addressed before the mobile app is released to the public. A good testing guide to follow while doing so is the OWASP Mobile Application Security Testing Guide
Conducting code reviews is important in mobile app security. Developers should review their code regularly to identify vulnerabilities and weaknesses that can be exploited by attackers. Code reviews should focus on security-related code, such as authentication and encryption, and identify any code that does not conform to secure coding practices.
Conducting security audits is an effective way to enhance mobile app security. Security audits involve reviewing the app's security measures to identify vulnerabilities and weaknesses that can be addressed. Developers can use the OWASP Mobile Application Security Checklist to conduct security audits and identify vulnerabilities that can be addressed before the app is released to the public.
Conducting user acceptance testing is important in mobile app security. User acceptance testing involves testing the app's security measures with real users to identify vulnerabilities and weaknesses that can be addressed. This helps ensure that the app's security measures are effective in real-world scenarios and protect users' data and privacy.
By following these regular security testing best practices, developers can ensure that their mobile apps are less vulnerable to attacks and protect users' data and privacy. Regular security testing is critical in mobile app security and should be conducted regularly to identify and address vulnerabilities before they can be exploited by attackers.
Mobile app security is critical in today's digital world where millions of people rely on mobile apps for their day-to-day activities. Developers must follow best practices in mobile app security to ensure that their apps are less vulnerable to attacks that can compromise users' data and privacy.
In this blog post, we covered several best practices in mobile app security, including secure code development, authentication and authorization, network security, secure data storage, user input and output validation, and regular security testing. By following these best practices, developers can ensure that their mobile apps are less vulnerable to attacks and protect users' data and privacy.
Mobile app security is an ongoing process that requires regular updates and improvements. Developers must stay up-to-date with the latest security trends and technologies to ensure that their apps are secure and protect users' data and privacy. By investing in mobile app security, developers can build trust with their users and enhance their brand reputation.
In summary, mobile app security is critical in today's digital world, and developers must follow best practices to ensure that their apps are secure and protect users' data and privacy. By investing in mobile app security, developers can build trust with their users, enhance their brand reputation, and provide a safe and secure user experience.
Cover Photo by Christina Morillo from Pexels
Paulo Renato is known more often than not as paranoid about security. He strongly believes that all software should be secure by default. He thinks security should be always opt-out instead of opt-in and be treated as a first class citizen in the software development cycle, instead of an after thought when the product is about to be finished or released.
