Abílio Azevedo.

Security in Mobile Applications

Cover Image for Security in Mobile Applications
Abílio Azevedo
Abílio Azevedo

When developing applications we need to be careful with security.

The Open Web Application Security Project® (OWASP) is a non-profit foundation working to improve software security.

They make a document, called OWASP Top 10, to make developers aware of web application security.

And for the world of mobile applications they also have an equivalent document and there is also a security standards document - the OWASP MASVS (Mobile Application Security Verification Standard) that contains the following categories:

  • MASVS-STORAGE: Secure storage of sensitive data on a device (data-at-rest).
  • MASVS-CRYPTO: Cryptographic functionality used to protect sensitive data.
  • MASVS-AUTH: Authentication and authorization mechanisms used by the mobile app.
  • MASVS-NETWORK: Secure network communication between the mobile app and remote endpoints (data-in-transit).
  • MASVS-PLATFORM: Secure interaction with the underlying mobile platform and other installed apps.
  • MASVS-CODE: Security best practices for data processing and keeping the app up-to-date.
  • MASVS-RESILIENCE: Resilience to reverse engineering and tampering attempts.

Okay, but how can we analyze these vulnerabilities in our applications?

The Mobile Security Framework (MobSF) is a complete automated framework for mobile applications (Android/iOS/Windows) for vulnerability testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

You can install it on your machine and put the APK or IPA of your applications to run the tests: Screen Shot 2022-05-24 at 15.18.28

At the end it gives a report with the vulnerabilities: Screen Shot 2022-05-24 at 17.38.00

An important point are credentials that we sometimes leave exposed or test files that are sometimes placed in our applications. For example, in React Native it is possible to exclude some files from our app's bundle:

const exclusionList = require('metro-config/src/defaults/exclusionList');

    // exclusionList is a function that takes an array of regexes and combines
    // them with the default exclusions to return a single regex.

    module.exports = {
      solve: {
    blacklistRE: exclusionList([/dist\/.*/])
      }
    };

There is also this dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers called Frida that can help us run security tests.

So developer, keep your app safe.

Embedded content: https://docs.google.com/presentation/d/1jVQCL2h-xKEypVAPo-MU_LGoQS-CsYYXhAC9RNOpJ94/edit?usp=sharingundefined

More posts

Cover Image for Upload to AWS S3 using Django, Boto3 and S3Direct

Upload to AWS S3 using Django, Boto3 and S3Direct

Uploading videos via a React Native mobile app to a bucket on the AWS S3 service using S3 Direct and Boto3 with a pre-signed URL.

Abílio Azevedo
Abílio Azevedo
Cover Image for Factory Health Monitor

Factory Health Monitor

The application is a tool for evaluating the health of various machines in an automobile manufacturing plant. This plant features a range of machines, each with specific data points that you will use to assess the condition of the production process.

Abílio Azevedo
Abílio Azevedo

NewsLetter

I will send the content posted here. No Spam =)

Experienced Software Engineer with degree in Electrical Engineering with over 8 years of hands-on expertise in building robust and scalable mobile, web and backend applications across various projects mainly in the fintech sector. Mobile (React Native), Web (React and Next.JS) and Backend (Node.JS, PHP and DJANGO). My goal is to create products that add value to people. - © 2024, Abílio Azevedo

me