| Do’s | Dont’s |
|---|---|
Detect compromised environments (rooted/jaibreak) at runtime and react accordingly (Ensure the environment is not tampered with) |
Obfuscation is not protection, assume everything in the code is public. (Application code can be deobfuscated) |
Integrity check of the binary (Ensure the app itself is not tampered with) |
|
Verify and check the integrity of dynamic resources (Ensure those resources are not tampered with) |
|
Disable debugging in the application settings (Make sure the app is not debuggable) |
|
Check if the device is in developer mode if supported by platform (Prevent app debugging) |
|
Check if debugger is attached and/or if the process is being traced (Prevent app debugging) |
|
Check lockscreen/passcode is enabled on the device (Make sure device is secure) |
|
Consider blocking access if devices are out of date (Ensure device has no known vulnerabilities) |
|
Verify that the app implements two or more functionally independent methods of root detection. (Use a dual verification approach). |
|
Verify that the app implements multiple functionally independent debugging defences. (Prevent a debugger from being attached that can view app data). |
|
Verify that the app detects, and response to, being run in an emulator using any method. (An emulator can be tampered with more easily than a hardware device). |
|
Verify that the app detects, and responds to, modifications of process memory, including relocation table patches and injected code. (Ensure that the operating environment of the App is safe before running it.) |
|
Verify all executable files and libraries belonging to the app are either encrypted on the file level and/or important code and data segments inside the executables are encrypted or packed. (Sensitive or secret code/resources should be protected.) |
|
Verify that the app implements a 'device binding' functionality when a mobile device is treated as being trusted. Verify that the device fingerprint is derived from multiple device properties. (Improve device identity/integrity). |
|
Verify that if the architecture requires sensitive computations be performed on the client-side, these computations are isolated from the operating system by using a hardware-based SE or TEE. (Sensitive operations should be carried out away from the main processor in a Trusted Execution Environment). |
|
Perform user interaction anomaly detection. (Allows the identification of abnormal app usage by a user that may be malicious). |
|
Consider only starting the app if it is running on the latest version or block requests from old versions of the app. (Older versions maybe have logic or security issues). |
|
Out-of-appstore security updates should be shipped using an encrypted connection. (Ensure that the security patch has not been tampered with in transit). |
|
Ensure that the installation package and its updates shall be digitally signed such that its platform can cryptographically verify them prior to installation. (Verify integrity before applying the update). |
A number of checks were implemented to assess the security of the underlying device running both the Android and iOS template applications.
The Android Template App is using the App Self-Defense Checks that are included in the AeroGear Android SDK.
The main code logic is found under here.
The Security Service is being initialised in the SecureApplicationModule.
link:https://raw.githubusercontent.com/aerogear/android-showcase-template/master/app/src/main/java/com/aerogear/androidshowcase/di/SecureApplicationModule.java[role=include]The following code snippets below describe the main device trust detection logic in the mobile app.
A number of different checks are being used to check if root access is present on the device.
link:https://raw.githubusercontent.com/aerogear/android-showcase-template/master/app/src/main/java/com/aerogear/androidshowcase/features/device/DeviceFragment.java[role=include]Detecting if the Android device has a lock screen set (with pin, fingerprint, pattern etc).
link:https://raw.githubusercontent.com/aerogear/android-showcase-template/master/app/src/main/java/com/aerogear/androidshowcase/features/device/DeviceFragment.java[role=include]Detecting if an Android debugger is attached to the application.
link:https://raw.githubusercontent.com/aerogear/android-showcase-template/master/app/src/main/java/com/aerogear/androidshowcase/features/device/DeviceFragment.java[role=include]Detecting if the Application is being run on an emulator.
link:https://raw.githubusercontent.com/aerogear/android-showcase-template/master/app/src/main/java/com/aerogear/androidshowcase/features/device/DeviceFragment.java[role=include]There are some simple checks added to the application to check if the Xposed Framework or Cydia Substrate are installed on the device, which can be used to attack and tamper with logic in an Android applications.
link:https://raw.githubusercontent.com/aerogear/android-showcase-template/master/app/src/main/java/com/aerogear/androidshowcase/features/device/DeviceFragment.java[role=include]The application can check if the allowBackup flag in the applications AndroidManifest.xml file is set to true. If this flag is set to true, it is possible for an attacker to recover application data from the device without requiring root access.
link:https://raw.githubusercontent.com/aerogear/android-showcase-template/master/app/src/main/java/com/aerogear/androidshowcase/features/device/DeviceFragment.java[role=include]The devices OS version can be checked using the Build class to see if the device is not running the latest of Android.
link:https://raw.githubusercontent.com/aerogear/android-showcase-template/master/app/src/main/java/com/aerogear/androidshowcase/features/device/DeviceFragment.java[role=include]
The following code snippets below describe the main device trust detection logic in the iOS template app.
Detecting if the Device has a lock screen set.
link:https://raw.githubusercontent.com/aerogear/ios-showcase-template/master/secure-ios-app/services/DevicetrustService.swift[role=include]Detecting if the Device is Jailbroken using the DTTJailbreakDetection library.
link:https://raw.githubusercontent.com/aerogear/ios-showcase-template/master/secure-ios-app/services/DevicetrustService.swift[role=include]Detecting if the device is running in Debug mode.
link:https://raw.githubusercontent.com/aerogear/ios-showcase-template/master/secure-ios-app/services/DevicetrustService.swift[role=include]Detecting if the underlying device running the mobile application is an Emulator.
link:https://raw.githubusercontent.com/aerogear/ios-showcase-template/master/secure-ios-app/services/DevicetrustService.swift[role=include]
The following code snippets below describe the main device trust detection logic in the Cordova template app.
Detecting if the underlying device running the mobile application is an Emulator.
link:https://raw.githubusercontent.com/aerogear/cordova-showcase-template/master/src/pages/security/deviceTrust/deviceTrust.ts[role=include]Detecting if the underlying device is Jailbroken or has Root Access.
link:https://raw.githubusercontent.com/aerogear/cordova-showcase-template/master/src/pages/security/deviceTrust/deviceTrust.ts[role=include]Detecting if the application is built in debug mode.
link:https://raw.githubusercontent.com/aerogear/cordova-showcase-template/master/src/pages/security/deviceTrust/deviceTrust.ts[role=include]