Secure Native App Development

Native Android, iOS and Windows Phone Development

BizWise Tech development team is specializing in native application development.
With more than 10 years of native mobile development we are offering the cutting edge
technologies and solutions for native Android, iOS and Windows phone development along with secure coding.

“Mobile apps being optional” – will soon become a history. Mobile apps are being adopted by more businesses today with the new age users having 24*7 access to internet through smartphones. Coming here; companies look at various technology options to build & develop mobile apps for their customers. Native and Hybrid apps are two most common types of apps that we see in the market today.

Are we safe?

With the growing mobile application market, the buzzing question today is “are we safe?”. Below are the few common security issues in both native and hybrid apps.

Security issues in native apps

When it comes to security of native applications, vulnerabilities stand almost same for any platform though the exploitation techniques and tools are different. For example, a native Android app might be storing sensitive data in an SQLite database using Local Data Storage. An attacker can exploit it by getting a shell on the device or by taking back up of the application. The same attack is possible even on an iOS application by logging into the device if it is jail broken.

 Below is the list of common attacks in native apps

  • Insecure local data storage
  • Weak SSL implementation
  • Unintended data leaks
  • Reverse Engineering
  • Code Injection

Security issues in hybrid apps

Hybrid apps are not an exemption to vulnerabilities if it contains poorly written code. They make extensive use of web views, which leave the application at risk if not properly written. Attacks such as Reverse Engineering, MITM are very common on hybrid apps. Attacks specific to HTML5 and JavaScript are possible in hybrid applications. Vulnerabilities related to backend APIs are common for any type of application. One way to minimize the attack surface is to use a well-accepted framework to build the apps as they contain some inbuilt security controls. However, it is not a bulletproof solution to protect your app.

Below is the list of common attacks in hybrid apps

  • JavaScript Injection
  • Weak SSL implementation
  • Caching issues
  • Why should you care?

There are many recent attacks on mobile apps that scare the app developers and the companies. Ola cabs, zopnow, starbucks, food panda are few examples that were under attack. A recent attack on food panda app allowed anyone to order food without paying anything.

To know more details about this attack, please follow the link below.

Native v/s Hybrid Apps

Though Hybrid apps are rapidly growing, native apps are considered more secure for an enterprise over Hybrid apps for various reasons.

Native apps can leverage inbuilt platform specific security features. Due to the fact that Hybrid apps make extensive use of web views, they are prone to attacks such as code injection when they use certain APIs. Apart from this, Hybrid apps can face all sort of vulnerabilities that could be introduced due to the use of HTML5.

As stated above, native apps can leverage security controls provided by the platform. Apart from this, various techniques, tools and third party libraries that are specific to each platform have been made available to minimize the attack surface. There is a lot of work around done for native application security. Many books and other resources that talk about native app security are becoming available for the community.

Support from their platform

Android:

Apart from the inbuilt security model that provides features such as app sandboxing (a feature to isolate each app in it’s own sandbox on the device so that one app cannot access the data of other applications), secure inter process communication using binders, app permissions (developer has to register the permissions and user has to accept them before installing the app) etc. Google has also provided a detailed documentation mentioning the security considerations to be kept in mind during app development. This also provides the details about the security related APIs that can be leveraged by apps.

Below are few examples

Example 1:

Usually, when developers need to store data locally in native Android apps, they may go for options such as shared preferences, internal storage or SQLite databases.

This documentation details about what may go wrong when using these features and how to avoid vulnerabilities.

In this specific example, it is recommended that developers should not use MODE_WORLD_WRITEABLE or MODE_WORLD_READABLE flags with internal storage as this data saved could be exposed to other malicious apps running on the same device.

Example 2:

Another example would be usage of keyStore API for encrypted local data storage.

iOS:

Similar to Android, iOS has also got it’s own security model by Apple that provides features such as secure boot chain, code signing etc. Again, Apple has provided it’s own secure coding Guide that discusses about various possible attacks and fixes.

Going with the same example, Apple recommends usage of keychain for secure local data storage.

OWASP has also developed very informative developer cheat sheet for iOS native apps, which can be found here.

https://www.owasp.org/index.php/IOS_Developer_Cheat_Sheet

All these examples show the amount of care being taken by the respective platforms for their app security.

Third party libraries

Apart from the platform specific security controls and guidelines, there are quite a few third party libraries available for native apps.

Taking the same local storage example, there are quite a few standard libraries available to securely store data on the device locally. Examples include, SQL cipher library that is available for both Android as well as iOS; “Secure preferences” library for securing data stored in shared preferences.

Wrapping it up

From security standpoint, deciding between native and hybrid apps for your organization really depends upon how security critical your app is. If you are developing an app such as banking/e-commerce that has to meet the best security requirements, native app is your best bet for the obvious reasons. If it is an app that just provides information to the users, going hybrid saves cost.

However, native apps as well as hybrid apps are prone to attacks if the code is poorly written. For better security, it is recommended that, developers follow secure coding guidelines during development and conduct a penetration test after completing the development and do it at regular intervals.

No Comments Yet.

Leave a comment