Developers tend to think mobile apps are quite safe from malicious attacks in their neat sandboxed environments. This is only partially true: data in motion is still at risk, and the risk is high: all sorts of man-in-the-middle and passive eavesdropping attacks are still efficient, if you don’t protect the data the right way.
Why is this happening? Security is thought to be tangled and hard to implement. Instead of thinking about building the app based on the fundamental security principles, developers prefer to copy the quick solution from StackOverflow or to implement already existing cryptoalgorithms themselves. It leads to buggy software, full of vulnerabilities and security holes that can be easily cracked.
Unfortunately, using HTTPS in your app is not enough to call it ‘secure’. Consider reading about SSL problems (there are lots!) and do your SSL right. Disable weak ciphers and bad TLS setting, use long keys and enable SSL pinning.
But user data should be encrypted too. Encrypting data with persistent keys causes the illusion of safety, but it’s just an illusion.
Always encrypt crucial data with ephemeral keys that are regenerated each session, and no one will be able to grab it using the soldering iron.
You don’t need to implement everything yourself. Realize possible security risks for your specific app, build the stout architecture based on CIA principle (confidentiality, integrity, authentication), use right tools, and own brains — this is a proper way to create the app that will take lots of time to break. There are some libs that can help you on this way.
Read my slides and follow the story of little fish found itself inside the ocean of threats. Step by step we armor this fish to resist possible attacks. There are lots of useful links during the presentation and more to read at the end.
Let me know if you care about security as much as I do =)
If you have any questions about app development – let us know!
Other useful links:November 3, 2015