A guide to mobile application protection
- The big picture
- What needs protecting
- Develop a threat model for your application
- The four layers of mobile application protection
- Decompilation and modification
- Dynamic analysis and tampering
- Emulators and Virtualization Apps
- Network communications interception
- Mobile app fraud
Who is this guide for?
If you have an interest in keeping mobile apps secure - as a software developer or architect, product manager, security engineer, CISO, or CTO - then this guide is for you.
This guide was written with the aim of giving you a clearer picture of some key considerations in mobile app security:
- why and how attackers target mobile apps and their users
- how protection measures can mitigate and prevent attacks
- the importance of a comprehensive and continuous approach to security
As a mobile application protection guide, it focuses especially on the threat landscape, on client-side attacks and related reverse engineering. And, of course, on protection measures you can make use of.
This mobile application protection guide is therefore designed to be complementary with other resources that deal with such vital topics as mobile app security best practices, security testing, and server-side security.
Foremost among these resources are those related to the OWASP Mobile Application Security project (MAS): the Mobile Application Security Verification Standard (MASVS) and the MAS Checklist. And we encourage you to consult them alongside this guide. The Security Controls in the MASVS provide an effective framework for designing, building, and distributing secure mobile apps. They also help you to avoid unforced errors that are likely to create vulnerabilities and expose user data to potential attackers.
A secondary aim of this guide is therefore to provide important context and additional detail to certain topics that are referenced in the MAS resources but are not their main focus. Especially those relating to the threat landscape and to software-based protection measures. In the final section of this guide, Practice, there’s a protection checklist that includes cross-references to many of the MASVS security controls.
You’ll note that we also maintain a general distinction between security and protection throughout this guide. Security involves robust coding practices and effective use of platform APIs in order to avoid needlessly exposing sensitive data or functionalities. Protection is more directly geared towards anticipating and preventing client-side attacks, including those involving sophisticated techniques, state-of-the-art tools, and malware.
Protection offers reinforcement to existing security. If an application is built insecurely - for example exposing sensitive functionalities to other apps on the device via IPC (inter-process communication) mechanisms - no amount of protection may be enough to cover the cracks.
Equally, an application that derives its security mainly from the guarantees of its execution environment (i.e. the operating system and device) may be defenseless if the execution environment itself is insecure. An app with inbuilt protection mechanisms is in a position to defend itself against this danger.
Different types of apps naturally have different security and protection requirements. And implementing both entails some investment of time and development resources. It's up to the developer or organization to establish a risk model and to allocate resources accordingly. One crucial element of a risk model is creating a threat model for a given application. This involves identifying assets that need protecting, threats to them, and controls to mitigate and prevent those threats. You’ll see that there’s a section in this guide that offers guidance on creating one.
Although for some apps enhanced protection measures may seem excessive, almost every app contains or manages valuable assets that attackers target. Most notably:
- Internal data and intellectual property (IP)
- Restricted functionalities
- Sensitive user data
An individual developer who has developed an inventive photography app, for example, may have a strong desire to learn how to protect their IP from reverse engineers and copy-cats. Just as a multinational bank would have a keen interest in understanding how attackers might steal their end user’s financial data.
So, the focus of this guide is on the assets that need typically protecting, how attackers target them, and how protection mechanisms can mitigate and prevent those attacks. Regardless of the type of app being targeted. For that reason the guide is designed to be broadly relevant to all types of mobile apps and of interest to all individuals and organizations with a reason to protect these assets.
- There are a range of threats, and any one of them could harm your app and its users.
- Safeguarding your mobile application and its users must begin with secure development, incorporate four key layers of mobile app protection, and be a continuous process.
- Mobile application protection is ineffective if it is not comprehensive, which is why protection must be layered.
This guide is divided into three main sections:
The elements of mobile apps that most need protecting and why; some tips on creating a threat model for your app; the four vital layers of mobile application protection.
Threats, attacks, and how to mitigate and prevent them. Including decompilation and modification; dynamic analysis and tampering; emulators and app wrappers; malware; network communications interception.
Where to go from here; a checklist for protecting your mobile app; how and why to make security a continuous process.