Information, it is hard to imagine life without mobile devices. We use them everywhere to facilitate our lifestyle. They help us to communicate with each other, have fun, and even make purchases. We use them at home and at work. These devices accompany us during our business trips and vacations. Our children use them for educational purposes and for amusement. They are part of our daily lives.
A mobile device usually has some operation system (OS) installed on it. The OS allows us to perform basic operations with the device, namely make calls, send SMS, take pictures, surf the Internet, etc. Feature set of OS can be expanded with installation of additional specific mobile apps.
Local data storage
According to MASVS, an application must use system credential storage facilities to store sensitive data, such as user credentials or cryptographic keys (recommendation 2.2).
Usually, Android OS uses account.db database to keep application tokens. A root permission is necessary to access that database. The assumption that account.db remains inaccessible holds true only for the newest Android version, because older Android versions may contain known vulnerabilities, which can be exploited to get the root permission. Anyway, an application should not keep user credential in that database as a plain text. Instead, it needs to use tokens that become expired within some time or after user logging out.
Secure network communication likely is the most important aspect of application security. To exchange sensitive user data between a remote service endpoint and a client application, a secure protocol must be used. TLS is the only protocol recommended by MASVS. It is important that only certificates signed by a valid certificate authority (CA) be accepted.
It is important that a client is always using an original mobile application supplied by a vendor. Besides, it must be extremely difficult for a hacker to develop a fake mobile application that has some changes in its logic to stole or compromise user data. Therefore, a mobile application must be resilient to reverse engineering.
- Mobile application security is vital for the applications that handle user data. To test the security level of your application, we recommend that Mobile AppSec Verification Standard (MASVS) should be used.
- The most important aspects of the mobile application security are local data storage security; authentication and session management; network communication, and resiliency against reverse engineering.