I'm building a react native application where I am hard-coding credentials into the application. This is why I was wondering whether there are any security implications between communication with native modules and/or the ability the reverse engineer the application. If so, what are some preventative measures I can take to still have access to those credentials and have them locally. Please let me know if you can think of any other implications react-native has in terms of security.
Thanks!
I have a small answer for part of your question that I learned when working with penetration testers on an enterprise app that I created. When you hardcode a string literal it is very easy to pull out of your app. So in order to obfuscate that a little bit one suggestion I got was to append multiple strings together to get your encryption password. So when the hacker pulls the strings out of your app he doesn't know which ones go together and in what order to get the correct password.
And if you wanted to go a little further, he suggested that I use [SomeBuiltInClass class] in the password string as well so that even if a hacker pulls all of the string literals out of my app, no combination of any of them will get to the correct password.
[NSString stringWithFormat:#"%#%#%#",[NSString class],#"SomeIntermediateSomething",[NSData class]];
But even if you do all of this and the hacker has your application in a jailbroken device he can still see all calls and all parameters that your app pushes around, so they can still get the credentials if you pass them in any method or function. So pulling the password exactly when you want to use it is key as well. They can also run any method or function in your app with any data they wish, so they can get a password the same way you do if they know which functions to call.
I'm sure there are others out there who know much more than I, but those are some things that I have done in the past.
First rule - never store credentials in a mobile app. Bottom Line. Think this has been mentioned but worth repeating, see
https://security.stackexchange.com/questions/20294/how-should-an-application-store-its-credentials
Related
I'm creating an App in which the user has to provide his credentials for a third party web site. My App uses this credentials to login in that website to perform some automatized tasks via Jsoup.
The problem I see is that when credentials are sent from the App to the Website, they could potentially be intercepted. Is there any way I can encrypt that data?
Credentials are not for a particularly critical service, it's nothing that deals with money or stuff like that, but I still do not want to expose passwords.
It's great that you want to keep your user's credentials safe. That's a good thing even if the service you're using is non-critical, since many users will typically re-use their passwords across sites.
As for what can be done, that will depend on what the service you are trying to use supports. The first question is whether the site uses HTTPS. You should definitely use it if possible.
Some sites also provide their own API's for interacting with them without going via their web-pages. I assume that may not be an option for you, since you are using JSoup, but if it is an option, look into what security features they provide that way.
If nothing else (or possibly in addition to anything else?), you might consider adding a section in your app with a paragraph with "recommendations for secure usage" or something along those lines. Urge your users to use a separate password for different sites, or at least for that specific site, to reduce risk. Be careful not to push it too much though - you want it to be a friendly reminder, and not a constant nagging.
I read this regarding how to extract code from apk.
I am really confused how does other app ensures security. I have a website. In that I have written all queries in PHP. So There is no way to get my queries unless they compromise my server.
In case of android app, I will have to write all the queries, connection details in Java. So when they can able to get code from APK, they can get my credentials. Isn't?
How does other app work? If I understood wrongly, please help me to understand.
So when they can able to get code from APK, they can get my credentials. Isn't?
Yes. If your app contains secrets and you distribute it to your customer, you customer has the secret.
Whilst you can obscure the secret using obfusctation tools like Proguard, his will be of limited effectiveness again all but the most casual attacker.
How does other app work?
Usually, the client-side app makes a connection to a front-end application on your server. The application server does its own identity management, connects to the database, and performs whatever limited range of operations the application allows for each user.
The application server is typically accessed using some kind of web services. You can re-use your PHP code here; the client app is then effectively just a convenient interface to making HTTP calls against your existing web site.
Android has a feature Pro guard. Pro guard convert all String and Const value into Obfuscated code. It also remove unused files. So by using pro guard, You will get two benefit. First You get your code security. Second, Apk size reduce to 25%.
Save your queries in res/string.xml file and use Proguard. Do not write queries in Java, just use the string in string.xml as query.
I'm writing a ringtone gallery app which ringtones reside on a server and they can be downloaded by user.
What I want is to check and verify if the connection is really from my app not other apps or a HTTP request generator. for example I don't like someone write an app that uses my back end and show his ads in the app. It's like image leaching in web site which is prevented by checking the referrer.
It's not possible to insert a key in the app as android apps can be decompiled so easily. I thought of gaining the app signature and send it's hash as a key, but it's like any app can access other apps signature hash.
what about writing part of app which do the communication in native code? is it decompilable as easy as java code?
I really can't think of any other way and I don't like others use my resources for their benefit.
There are a couple of things you can do.
Create your own Certificate Authority, ship a certificate with your app and use two-way TLS authentication. This does not protect against decompilation and reverse-engineering but protects traffic en route.
Use the advice in this slide deck to detect modifications and debuggers.
Use Jelly Bean's hardware-backed secure storage.
At the end of the day, though, DRM is a lost battle. If the user has root access, all bets are off, with or without obfuscation (which native libraries are). The only question is how important is your data. For 90% of applications, running it through ProGuard makes it nearly impossible to untangle (especially if you use data flow obfuscation). Along with the certificate approach, that should suffice for most things.
Alternatively, try to change your model, so that you're authenticating the user and not the app - that's far simpler!
i need to know how can i secure my app to make a close beta?
i want to send my app to some people so that they can test it. but i dont want them to share the .apk with other people and just use it some days. so i need to implement some kind of trial/beta mode.
i need something, that the app e.g. only runs 7 days or so. how to do this?
There are a few ways to ensure security:
Get a server, and have a server side authentication based on a unique device ID, like an IMEI or MAC address. Any device which does not belong to your testers will not be listed on your server, and you can stop the app from running.
If possible, have each person come to you and install the apk yourself, instead of mailing it to them
Create a trial system. Store the date on which the person first accessed your app from the device, and stop letting him use it n days later. If you store this on a server along with the unique ID, it'll be safer, as if it is stored in the shared preferences or something, the user could get around it by clearing the data or uninstalling and reinstalling the app.
Obfuscate your code using a tool like ProGuard. This will add an extra layer of security incase someone decompiles your app
Note that these are only a few suggestions, and none of them are 100% secure. AFAIK, there is no way to ensure 100% security, short having having the devices locked in a lead room, and letting in the testers one at a time. And there is a way to get around that too, I bet.
Use hockeyapp, there's nothing easier to distribute your app to a closed group of people.
We have an android and ios app which sends data and commands to a server with http webservice. How can i prevent the possibility, that fake-clients also can send something to the server? How can I determine serversidely if the data/command really comes from our apps.
You cant really prevent it. There are several techniques to make it harder for people abusing your services.
A simple check can be to check the user agent calling your webservice. Another pretty common one is to use a simple authentication via user/password authentication on your webserver. The username and password will be embedded into your app.
If you have enough time you should think about using a combination of this two methods plus authentication with a embedded ssl certificate. You simply could add this to your project and if someone really want to abuse your service, he have to extract this certificate atleast form your application.
There are some other useful techniques but you cant prevent reverse engineering or network sniffing.
Sincerely,
fuxx
The most robust solution is not to try. Techniques like DasFuxx's answer suggests can make it faintly harder, but someone can always decompile your application and get whatever secrets you have embedded in it.
Instead, follow the rule of multiplayer game development:
Don't trust the client.
Don't think about your application as the user interface. Think about your network protocol/API as being the user interface; then design that interface so that it cannot be abused.
It may not be possible to do so completely, but insofar as you succeed, you have true security (rather than fighting the same losing battle as DRM systems).
I would implement oAuth. See the following link for more information on how to implement such a solution.
You can't. It's that simple...