Secure Mobile Development

At NowSecure we spend a lot of time attacking mobile apps - hacking, breaking encryption, finding flaws, penetration testing, and looking for sensitive data stored insecurely. We do it for the right reasons - to help developers make their apps more secure. The best way to verify that your app follows secure mobile development best practices is to perform security assessments of the app, which can include automated mobile app security testing, fuzzing, manual penetration testing, and more. This document represents some of the knowledge we share with our clients and partners. We are driven to advance mobile app security worldwide.

Using this Guide

This guide gives specific recommendations to use during your development process. The descriptions of attacks and security recommendations in this report are not exhaustive or perfect, but you will get practical advice that you can use to make your apps more secure.

We revise our best practices periodically and invite contributions, and the updated guide is published here as changes are accepted into the main repository.

To learn about all the vectors that attackers might use on your app, read our Mobile Security Primer.

Table of Contents

• Mobile Security Primer
• Coding Practices
  • 2.1 Increase Code Complexity and Use Obfuscation
  • 2.2 Avoid Simple Logic
  • 2.3 Test Third-Party libraries
  • 2.4 Implement Anti-tamper Techniques
  • 2.5 Securely Store Sensitive Data in RAM
  • 2.6 Understand Secure Deletion of Data
  • 2.7 Avoid Query String for Sensitive Data
• Handling Sensitive Data
  • 3.1 Implement Secure Data Storage
  • 3.2 Use SECURE Setting For Cookies
  • 3.3 Fully validate SSL/TLS
  • 3.4 Protect Against SSL Downgrade Attacks
  • 3.5 Limit Use of UUID
  • 3.6 Treat Geolocation Data Carefully
  • 3.7 Institute Local Session Timeout
  • 3.8 Implement Enhanced/Two-Factor Authentication
  • 3.9 Protect Application Settings
  • 3.10 Hide Account Numbers and Use Tokens
  • 3.11 Implement Secure Network Transmission Of Sensitive Data
  • 3.12 Validate Input From Client
  • 3.13 Avoid Storing App Data in Backups
• Caching and Logging
  • 4.1 Avoid Caching App Data
  • 4.2 Avoid Crash Logs
  • 4.3 Limit Caching of Username
  • 4.4 Carefully Manage Debug Logs
  • 4.5 Be Aware of the Keyboard Cache
  • 4.6 Be Aware of Copy and Paste
• Webviews
  • 5.1 Prevent Framing and Clickjacking
  • 5.2 Protect against CSRF with form tokens
• iOS
  • 6.1 Use the Keychain Carefully
  • 6.2 Avoid Cached Application Snapshots
  • 6.3 Implement Protections Against Buffer Overflow Attacks
  • 6.4 Avoid Caching HTTP(S) Requests/Responses
  • 6.5 Implement App Transport Security (ATS)
  • 6.6 Implement Touch ID Properly
• Android
  • 7.1 Implement File Permissions Carefully
  • 7.2 Implement Intents Carefully
  • 7.3 Check Activities
  • 7.4 Use Broadcasts Carefully
  • 7.5 Implement PendingIntents Carefully
  • 7.6 Protect Application Services
  • 7.7 Avoid Intent Sniffing
  • 7.8 Implement Content Providers Carefully
  • 7.9 Follow WebView Best Practices
  • 7.10 Avoid Storing Cached Camera Images
  • 7.11 Avoid GUI Objects Caching
  • 7.12 Sign Android APKs
• Servers
  • 8.1 Implement Proper Web Server Configuration
  • 8.2 Properly Configure Server-side SSL
  • 8.3 Use Proper Session Management
  • 8.4 Protect and Perform Penetration Testing of Web Services
  • 8.5 Protect Internal Resources