Mobile Security
I think no one doubt that mobile phone is the one of the important things in our daily lives. We can use our mobile phones to communicate with friends using social media apps, managing our bank accounts, etc.
From the first iPhone launched till now, we have already not just using it for only browsing websites, playing games, with more transformation of user experiences from websites to apps, we can access more services on the phone with our fingertips. I am sure that there should be more than one P2P payment app or banking app in everyone phones. Thus, mobile security becomes the important area that everyone, especially the app developers should take care about.
In the mobile world, iOS and Android possess absolute majority of the mobile devices. In this article, I will see how iOS and Android provide sufficient secuirty to the users.
4 Security Area
There are four aspects to secure the mobile deveices:
- Device Security
- Application Security
- Data Security
- Network Security
Device Security
Device Security is the OS level protection. There are several components we have to know before understanding the protection provided from iOS and Android.
Boot-rom is the place, usually read-only, inside CPU in which contains initial code to boot up the device.
Bootloader is the low level program to run OS on CPU kernel. It is replaceable and allowed to upgrade by device vendors.
iOS provides a feature called boot-chain, also called chain of trust, to ensure the integrity of the OS and firmwares. Why it is named as boot-chain? It is because the processes of booting are protected by the chain of cryptographic methodology. Apple codes are signed by their private keys and the keys are well-protected by Apple. Boot-rom is readonly and contains the decryption key. The process of the OS booting will be aborted once bootloader identifies that the OS codes are not signed by Apple’s private keys.
Jailbreak is the hack to this chain of trust, so that’s why it is highly recommended not to jailbreak the device since unauthorized codes/apps can be run on the iOS device which is very dangerous.
Android 4.4 introduced Verified Boot which serves the same protection as boot-chain. However, Android won’t strictly enforce Verified Boot to prevent compromised devices from booting until Android 7.
Hardware-backed security element/enclave is a powerful component in mobile devices. Encryption private keys are stored inside the hardware chips. It is hard to compromise. Device specific private keys cannot be retrieved and easily compromised from the device. The private keys won’t be retrieved to the application RAM during encryption. The data is passed into the security enclave and encrypted messages are passed back to the applications, so keys information won’t be captured in the application RAM. All iOS devices contain security chips but not all Android devices have the same thing. The good news is Google enforced new devices supporting Android 7 must have a hardware-backed security element.
Passcode protection is on both iOS and Android devices. It ensures only phone’s owner or person with passcode to access the device. For modern devices, biometric authentication like fingerprint, FaceID, iris are added to the devices. Usaully passcode and biometric authentication have already been enhanced to prevent brute force attack. Devices would lock up if someone performed several failure trials for the authentication process.
Application Security
iOS App Store and Google Play Store have a good mechanism to verify the integrity of all apps on their store. They will review all the applications, enforcing developers to follow the security rules. It greatly secures users from downloading vulnerable apps. Developers should consider to publish their applications to the trusted stores to ensure the right applications are delivered to the end users.
Crypto algorithm frameworks are crucial for the application, from the app itself to every single file and data. iOS Keychain and Android KeyStore provides sufficiently strong algorithms for developers to protect the application data. Both frameworks may be backed by security element/enclave.
Data Security
From iOS 4, iOS offers the feature called data protection, which is the file-based protection. Developers can control which kinds of user data and what security level of that data to protect.
The different of file-based protection from block-based protection, which is used before Android 7, is block-based protection protects whole device data using the same encryption key and security level. Once the protection being compromised, all user data would be under the threat.
Network Security
Connecting to public network is the powerful ability for the success of every single application. By protecting the devices from network threats, HTTPS protocol is a must. iOS App Transport Security(ATS) requirements is the good start to enhance the network security on both iOS and Android. ATS requires servers to commit several basic criteria for mobile devices to connect. If the server cannot reach the requirements, iOS devices will block all traffic to the server. For example, iOS will by default reject all traffic to HTTP protocol below TLS v1.2.
Visit below link to know more about ATS.
SSL pinning is another practice to prevent man-in-the-middle attack. SSL pinning can check the integrity of the cryptographic certificates used in HTTPS connections. It prevents the application to establish HTTP connection with the compromised Certificate Authority(CA ).
For more information, check the below link. Thanks to Matthew Dolan’s article about SSL pinning.
End-to-end encryption is the hot topic in recent years. Whatsapp has already protected users’ messages by using end-to-end encryption.
As the figure shows, end-to-end encryption can prevent data leakage from compromised service providers.
Mobile Security Standard
OWASP is the standard for developers to check whether their applications follow best practices of mobile security.
Conclusion
We just go through the concepts of the mobile security. In next series of mobile security article, we will deep dive into codings to implement security practices on both iOS and Android.
Thanks for reading!!!! Please help to share if you find this is useful 😎.
