Desktop and laptop computers have always had to deal with security threats. Mobile devices are no exception. Thieves love to get their hands on sensitive information on mobile devices such as GPS locations, text messages, a users pulse, blood sugar, etc.. Privacy and data protection are not just an afterthought, they are a forethought, and must be designed into a system from the start. Below are three examples of security requirements one might want in their design.
- SSL/TLS – Encryption of the data pipe between a mobile user and the server they are exchanging information with which is easily added. Thankfully, Apple in iOS 9 added the NSAppTransportSecurity key and forced app developers to use HTTPS. While this protects the users data from prying eyes, it does not help protect from more sophisticated attacks such as man-in-the-middle attacks. Android’s usage of HTTPS is still optional instead of required.
- Certificate Pinning – Incorporating the public key into the app binary allows the mobile device to verify that the server it is connecting to is indeed the server it wants to connect to. Any attempt of a rogue entity to intercept the data transfer, read it, re-encrypt it, and send it off again will fail.
- File Encryption – NSFileProtectionComplete for iOS will encrypt each sandbox’s file system while the device is locked using different master secrets. iOS also has the keychain, which is an encrypted store that hold passwords and other small sensitive pieces of data. Android has full disk encryption, but since they share the same master secret, it is considered less secure. This can be overcome by utilizing an external encryption library such as AES encryption. Doing so, however, will require following the Exporter Registration and Reporting process. Though tedious, it is necessary for apps that contain highly sensitive information, such as the users bank account information.