Abílio Azevedo.

Security in Mobile Applications

Cover Image for Security in Mobile Applications
Abílio Azevedo
Abílio Azevedo

When developing applications we need to be careful with security.

The Open Web Application Security Project® (OWASP) is a non-profit foundation working to improve software security.

They make a document, called OWASP Top 10, to make developers aware of web application security.

And for the world of mobile applications they also have an equivalent document and there is also a security standards document - the OWASP MASVS (Mobile Application Security Verification Standard) that contains the following categories:

  • MASVS-STORAGE: Secure storage of sensitive data on a device (data-at-rest).
  • MASVS-CRYPTO: Cryptographic functionality used to protect sensitive data.
  • MASVS-AUTH: Authentication and authorization mechanisms used by the mobile app.
  • MASVS-NETWORK: Secure network communication between the mobile app and remote endpoints (data-in-transit).
  • MASVS-PLATFORM: Secure interaction with the underlying mobile platform and other installed apps.
  • MASVS-CODE: Security best practices for data processing and keeping the app up-to-date.
  • MASVS-RESILIENCE: Resilience to reverse engineering and tampering attempts.

Okay, but how can we analyze these vulnerabilities in our applications?

The Mobile Security Framework (MobSF) is a complete automated framework for mobile applications (Android/iOS/Windows) for vulnerability testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

You can install it on your machine and put the APK or IPA of your applications to run the tests: Screen Shot 2022-05-24 at 15.18.28

At the end it gives a report with the vulnerabilities: Screen Shot 2022-05-24 at 17.38.00

An important point are credentials that we sometimes leave exposed or test files that are sometimes placed in our applications. For example, in React Native it is possible to exclude some files from our app's bundle:

const exclusionList = require('metro-config/src/defaults/exclusionList');

    // exclusionList is a function that takes an array of regexes and combines
    // them with the default exclusions to return a single regex.

    module.exports = {
      solve: {
    blacklistRE: exclusionList([/dist\/.*/])
      }
    };

There is also this dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers called Frida that can help us run security tests.

So developer, keep your app safe.

Embedded content: https://docs.google.com/presentation/d/1jVQCL2h-xKEypVAPo-MU_LGoQS-CsYYXhAC9RNOpJ94/edit?usp=sharing

More posts

Cover Image for Cloud Design Patterns

Cloud Design Patterns

Explore the top cloud computing design patterns that enable developers to build scalable, resilient, and high-performing applications. This comprehensive guide covers 42 proven patterns like Ambassador, Circuit Breaker, CQRS, and Saga - distilled from the experiences of seasoned cloud architects. Learn how to leverage these powerful design techniques to navigate the complexities of the cloud and deliver innovative solutions that meet the evolving needs of today's digital landscape.

Abílio Azevedo
Abílio Azevedo
Cover Image for System P - Ticket Management - Bugs

System P - Ticket Management - Bugs

Unlock the power of prioritization for your Scrum team with the System P framework. Learn how to efficiently evaluate and rank your product backlog items based on business value, risk, and effort to deliver maximum impact. Discover the 5 priority levels - from critical P0 issues to informational P4 items - and master the art of smart backlog management. Optimize your Agile workflow and drive greater success with this guide to effective Scrum prioritization."

Abílio Azevedo
Abílio Azevedo

NewsLetter

I will send the content posted here. No Spam =)