Mobile App Security Essentials - Android & iOS

Mobile applications handle sensitive user data and are increasingly targeted by attackers. This guide covers essential security practices for Android and iOS applications.

Mobile Security Threat Landscape

Mobile apps face unique security challenges:

• Device Compromise: User’s device may be rooted/jailbroken
• Network Attacks: Communication over untrusted networks
• Data Storage: Sensitive data stored on the device
• Code Analysis: Apps can be reverse engineered
• Third-party Libraries: Dependencies may contain vulnerabilities

Secure Data Storage

Protecting sensitive data on the device is critical.

Android Data Storage

Avoid These Practices:

// ❌ Don't store sensitive data in SharedPreferences unencrypted
SharedPreferences prefs = context.getSharedPreferences("settings", MODE_PRIVATE);
prefs.edit().putString("password", userPassword).apply();

// ❌ Don't store in plain text files
File file = new File(context.getFilesDir(), "secrets.txt");

Secure Approaches:

1. Android EncryptedSharedPreferences (Recommended)

// ✅ Use encrypted SharedPreferences
EncryptedSharedPreferences preferences = EncryptedSharedPreferences.create(
    context,
    "secret_shared_prefs",
    masterKey,
    EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
    EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
);

2. Android Keystore System

// ✅ Use Android Keystore for cryptographic operations
KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
keyStore.load(null);

KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT;

3. File Encryption

// ✅ Encrypt files before storage
File encryptedFile = EncryptedFile.Builder(
    context,
    file,
    masterKey,
    EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB
).build();

iOS Data Storage

Secure Storage Options:

1. Keychain (Most Secure)

// ✅ Store sensitive data in Keychain
let query: [String: Any] = [
    kSecClass as String: kSecClassGenericPassword,
    kSecAttrAccount as String: "username",
    kSecValueData as String: "sensitive_data".data(using: .utf8)!
]
SecItemAdd(query as CFDictionary, nil)

2. Data Protection

// ✅ Use FileManager with data protection
try data.write(
    to: url,
    options: .completeFileProtection
)

3. Avoid These:

// ❌ Don't store in UserDefaults unencrypted
UserDefaults.standard.set(password, forKey: "password")

// ❌ Don't store in plain text files
try data.write(toFile: path, atomically: true)

Secure Communication

Mobile apps communicate with servers over networks that may be compromised.

Certificate Pinning

Prevent man-in-the-middle attacks by pinning certificates:

Android:

// ✅ Implement certificate pinning
NetworkSecurityConfig config = new NetworkSecurityConfig.Builder()
    .setPinningPolicy(new PinningPolicy(
        Collections.singleton("sha256/your-cert-hash=")
    ))
    .build();

iOS:

// ✅ Implement certificate pinning
class CertificatePinning: NSObject, URLSessionDelegate {
    func urlSession(
        _ session: URLSession,
        didReceive challenge: URLAuthenticationChallenge,
        completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
    ) {
        // Validate certificate against pinned cert
    }
}

SSL/TLS Configuration

• Always use HTTPS for all communications
• Disable SSLv3, TLSv1.0, TLSv1.1
• Use TLS 1.2 minimum (TLS 1.3 preferred)
• Validate all certificates properly

Authentication & Authorization

Secure Authentication

Best Practices:

• Use OAuth 2.0 / OpenID Connect
• Don’t store user credentials on device
• Implement biometric authentication
• Implement proper token refresh mechanisms
• Use secure session management

Preventing Unauthorized Access

• Validate permissions on sensitive operations
• Implement role-based access control
• Enforce re-authentication for sensitive actions
• Log and monitor authentication events

Vulnerability Testing for Mobile Apps

Static Analysis (SAST)

Android:

• Android Lint: Built-in security checks
• MobSF: Mobile Security Framework
• Qark: Quick Android Review Kit

iOS:

• LLVM Static Analyzer: Built-in
• Clang Static Analyzer
• Swiftlint: Code style and security checks

Dynamic Analysis (DAST)

Android:

• Frida: Dynamic instrumentation
• Burp Suite: Proxy testing
• Android Studio Debugger: Runtime analysis

iOS:

• Burp Suite: Proxy intercept
• Charles Proxy: Network analysis
• LLDB Debugger: Runtime debugging

Reverse Engineering Considerations

Android:

• Code can be decompiled using tools like apktool
• Sensitive logic should be offloaded to servers
• Consider code obfuscation
• Implement integrity checks

iOS:

• Compiled code is harder to reverse than Android
• Still vulnerable to runtime analysis
• Use obfuscation tools
• Implement anti-tampering checks

Secure Development Practices

Dependency Management

• Keep frameworks and libraries updated
• Review third-party library security
• Minimize dependencies
• Monitor for known vulnerabilities

Code Security

• Implement input validation
• Use parameterized queries (prevent SQL injection)
• Avoid hardcoding secrets
• Remove debug logging in production
• Implement proper error handling

Testing Strategy

1. Unit Tests: Security of individual components
2. Integration Tests: Security of component interactions
3. Penetration Testing: Professional security assessment
4. Automated Scanning: Continuous security checks

Common Mobile Vulnerabilities

Insecure Data Storage

• Sensitive data stored unencrypted
• Exposed API keys and tokens
• Unencrypted database files

Broken Cryptography

• Using weak encryption algorithms
• Hardcoded encryption keys
• Insecure random number generation

Improper Platform Usage

• Misuse of platform features
• Missing keychain usage (iOS)
• Improper permission handling

Insecure Communication

• No SSL/TLS validation
• Missing certificate pinning
• Logging sensitive data

Compliance & Standards

• OWASP Mobile Top 10: Essential vulnerabilities
• PCI DSS: Payment card data protection
• HIPAA: Healthcare data protection
• GDPR: User data privacy

Security Testing Checklist

• All sensitive data encrypted at rest
• SSL/TLS used for all communications
• Certificate pinning implemented
• Authentication properly validated
• Authorization controls enforced
• Input validation on all data
• Secure session management
• No hardcoded secrets
• Proper error handling
• Regular security updates

Conclusion

Mobile app security requires a holistic approach covering secure data storage, proper authentication, encrypted communication, and regular security testing. As mobile apps continue to grow in importance, security must be a priority from the start of development, not an afterthought.

At Cyenetic Solutions, our mobile security experts conduct comprehensive Android and iOS penetration tests, identifying vulnerabilities in your applications and providing clear remediation guidance. We help ensure your mobile apps protect user data and maintain user trust.

Secure your mobile applications - Schedule a mobile app security assessment today.