Abílio Azevedo.

Security in Mobile Applications

Cover Image for Security in Mobile Applications
Abílio Azevedo
Abílio Azevedo

When developing applications we need to be careful with security.

The Open Web Application Security Project® (OWASP) is a non-profit foundation working to improve software security.

They make a document, called OWASP Top 10, to make developers aware of web application security.

And for the world of mobile applications they also have an equivalent document and there is also a security standards document - the OWASP MASVS (Mobile Application Security Verification Standard) that contains the following categories:

  • MASVS-STORAGE: Secure storage of sensitive data on a device (data-at-rest).
  • MASVS-CRYPTO: Cryptographic functionality used to protect sensitive data.
  • MASVS-AUTH: Authentication and authorization mechanisms used by the mobile app.
  • MASVS-NETWORK: Secure network communication between the mobile app and remote endpoints (data-in-transit).
  • MASVS-PLATFORM: Secure interaction with the underlying mobile platform and other installed apps.
  • MASVS-CODE: Security best practices for data processing and keeping the app up-to-date.
  • MASVS-RESILIENCE: Resilience to reverse engineering and tampering attempts.

Okay, but how can we analyze these vulnerabilities in our applications?

The Mobile Security Framework (MobSF) is a complete automated framework for mobile applications (Android/iOS/Windows) for vulnerability testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

You can install it on your machine and put the APK or IPA of your applications to run the tests: Screen Shot 2022-05-24 at 15.18.28

At the end it gives a report with the vulnerabilities: Screen Shot 2022-05-24 at 17.38.00

An important point are credentials that we sometimes leave exposed or test files that are sometimes placed in our applications. For example, in React Native it is possible to exclude some files from our app's bundle:

const exclusionList = require('metro-config/src/defaults/exclusionList');

    // exclusionList is a function that takes an array of regexes and combines
    // them with the default exclusions to return a single regex.

    module.exports = {
      solve: {
    blacklistRE: exclusionList([/dist\/.*/])
      }
    };

There is also this dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers called Frida that can help us run security tests.

So developer, keep your app safe.

Embedded content: https://docs.google.com/presentation/d/1jVQCL2h-xKEypVAPo-MU_LGoQS-CsYYXhAC9RNOpJ94/edit?usp=sharing

More posts

Cover Image for The 4-Hour Work Week

The 4-Hour Work Week

**The 4-Hour Work Week** is a groundbreaking guide to escaping the 9-5 grind, automating your income, and living life on your own terms. Bestselling author Tim Ferriss shares revolutionary strategies for outsourcing, remote work, lifestyle design, and building automated businesses that generate passive income. Learn how to join the 'New Rich' who leverage time and mobility instead of trading time for money. This influential book has transformed how millions approach work and life balance in the digital age.

Abílio Azevedo
Abílio Azevedo
Cover Image for The Phychology of Money

The Phychology of Money

Morgan Housel offers valuable insights on financial management and decision-making. The author emphasizes that financial success depends more on behavior than on intelligence or technical knowledge. Housel highlights the importance of long-term vision and resilience in the face of market volatility, encouraging us to focus on sustainability rather than short-term gains.

NewsLetter

I will send the content posted here. No Spam =)

Experienced Software Engineer with degree in Electrical Engineering with over 10 years of hands-on expertise in building robust and scalable mobile, web and backend applications across various projects mainly in the fintech sector. Mobile (React Native), Web (React and Next.JS) and Backend (Node.JS, PHP and DJANGO). My goal is to create products that add value to people. - © 2024, Abílio Azevedo

me