The Three Foundations of Mobile Application Security
As mobile applications become increasingly sophisticated they are storing more of our sensitive data every day. From banking to fitness, our financial and health data follows us around at the convenience of our smart phones.
A high level view of a mobile application architecture is the local client (application on the smart phone) and an API (Application programming Interface) which essentially means the ability to talk to a remote server via HTTP (Hypertext Transfer Protocol). This allows the application to request and gather data to display to the user.
Mobile application (Client) -> API -> Server -> API -> Mobile application (Client)
This can also be thought of as packaged code on a phone as a mobile application/client and internet traffic as the API.
This shows the threat landscape, an attacker can choose to attack the local client (packaged code on the phone). The attacker could also try to attack the internet traffic (API) from the client to server.
The former typically involves reverse engineering applications to view their source code and configurations. Attackers will typically look for unprotected services, log files and even database information. The latter may involve attacking unprotected parameters within the API to retrieve/modify or manipulate data, it may also involve monitoring traffic to intercept unencrypted credentials.
With this in mind, there are three foundations that all applications should implement to significantly reduce the overall threat landscape.
To root, or jailbreak a device is to exploit a vulnerability within the underlying operating system that allows one to access the phones ‘root’ user. This user has super privileges on the phone, meaning that they can perform a lot more actions than would be available to a normal user. This means that applications files can be browsed, log files can be monitored and powerful tools can be used to attack the application. If the application cannot load on a phone, it will prevent it from populating some sensitive information like logs, therefore an attacker will not be able to attack the application in this way.
Root detection is a solution that prevents applications from running on compromised devices, therefore the first foundation will prevent the application leaking of any sensitive information to an attacker. It should be noted that there are usually ways to bypass root/jailbreak detection but it can be time consuming and there is no guarantee of success. Opportunist attackers will likely be put off by this defence.
The traffic that is sent to the server can be protected with SSL Certificate pinning, an effective defence that prevents attackers being able to intercept traffic going through the API. This means that an attacker cannot try to find flaws in the API parameters or logic as they will not be able to see or manipulate the traffic. The second foundation is to prevent viewing of API traffic.
Mobile applications can easily be reverse engineered to view the source code and configuration files, if the code has been obfuscated, it will not be possible to understand the code, therefore an attacker will not be able to learn information about the application.
It should be noted that these techniques may be bypassed but it can be time-consuming with no guarantee of success. Implementing these defences will significantly reduce the overall threat landscape of your mobile application and likely put off opportunist attackers.