Mobile App Security Checklist for Developers

Back in the 18th century, the world was witnessing the industrial revolution and we all know how it transformed almost every aspect of human life. Times have changed now and presently it’s something entirely different that is making the world go round.

Yes, you guessed it right. It’s the age of the smartphone revolution. And when it comes to smartphones, it’s all about the apps. 

The fascinating world of mobile apps gets bigger day by day.

According to Techjury, smartphone consumers will download more than 258 billion mobile apps by 2022. Moreover, on average, every user goes through 8-10 apps per day.

The stats are amazing, aren’t they? They seem promising to hackers also.

As the trend of mobile apps continues to grow at an exponential rate, so does the frequency of app-based attacks. According to studies, one in every four mobile apps has a high-risk vulnerability. And if left unexamined, they might lead to serious outcomes. 

That is why it becomes essential for app developers to not only look out for adding advanced features in their apps but also concentrate on the security front. Since most of the security issues can be mitigated during the development stage itself, a great responsibility lies on the shoulders of coders to bolster their app’s security. 

Here, we are going to dive deeper into the world of secure coding practices and find out how developers can work smartly and maintain the security of their mobile apps while coding. But before moving ahead, let’s first understand the types of mobile apps and how they can be attacked.

Threat Landscape of Mobile Apps

In order to understand the threat landscape of mobile apps, it is crucial to understand their different types.

Types of Mobile Application

Basically, there are three kinds of mobile apps:

  • Native Apps: These apps are native to a particular platform like Android or iOS. And as they are optimized for a particular platform, they work efficiently and offer a better user experience. However, due to their structure, it is somewhat difficult to maintain them. 
  • Web Apps: These apps run on web-hosted servers. Generally, CSS, HTML5 or Javascript are used for their development. Moreover, these apps can’t access much of the native device’s functionality like contacts, camera or location. But, as they are open to web servers, potential security risks are always inevitable.
  • Hybrid Apps: As the name suggests, these apps contain a mix of the features of native and web apps. They can be downloaded from app stores. They can also enjoy device features and at the same time, they rely on HTML and web servers as well. 

How Mobile Apps Are Vulnerable?

Most of the time, mobile apps have privacy and security gaps in code functionality. Apps are allowed access to more data points than required and this opens more avenues for threat actors to sniff into the system. 

Using unauthorized APIs and untrusted libraries poses similar problems as well. In several instances, a lack of proper encryption also exposes sensitive user data to attackers. 

Another common phenomenon that makes mobile apps more vulnerable to attacks is the possibility of reverse engineering. In the later part of the blog, we will see how it deeply impacts the security of mobile apps. But before that, let’s examine the types of attacks that are common in the case of mobile apps. 

Classification of Attacks Based on their Occurrences

Based on their occurrence, attacks on mobile apps can be classified into four categories:

  • Browser-Based Attacks: Ranging from phishing, clickjacking, and data-caching to man-in-the-middle attacks, browser-based attacks happen over the web servers. In the case of these attacks, hackers inject malicious scripts into app components that are served via web browsers. 

  • Phone or SMS-Based Attacks: In the case of phone/SMS attacks, hackers target mobile devices by distributing malware via unauthorized messages. Moreover, other phone-based attacks like baseband attacks are also common. In these attacks, threat actors may gain control over the device’s digital baseband processor and manipulate cellular activities.  

  • OS-Based Attacks: OS-based attacks use the mobile device’s operating system as the attack surface. Generally, manipulations like Android rooting and iOS jailbreaks result in these types of attacks. Weak passcodes and encryption may also lead to these attacks. 

  • Application-Based Attacks: In these attacks, hackers utilize the vulnerabilities in the mobile app itself to gain access to sensitive user data. Escalated privileges, improper SSL injection, weak encryption, and unwanted permissions may result in application-based attacks. 

How to Build a Completely Secure Mobile App? The Checklist

We examined how various types of mobile apps are vulnerable to different types of attacks. Now, we must find out what must be done in order to prevent such attacks from happening. 

According to the OWASP secure coding practices checklist, there are numerous ways of achieving this. Basically, a developer can mitigate most of the security vulnerabilities and efficiently maintain mobile app security while coding. 

The below infographic highlights some of the secure coding practices which developers must follow in order to build a completely secure mobile app.

Secure Coding Practices For Your Mobile App-1


However, despite all these measures, there still remains some margin or error. Luckily, there are some techniques that efficiently eliminate the possibility of any remaining mistake. Let us see how. 

How Code Obfuscation and Remediation Assist in Mobile App Security?

As soon as any app goes public, so does its source code. Being a developer, you would never want any threat actor to review your code and start tampering with your application. They might even repackage the app with some malicious code. 

In order to avoid such problems, the techniques of code obfuscation and remediation come into the picture. These two methods prevent hackers from reverse engineering your app and understanding the business logic and code. They also erase the potential loopholes in the code to ensure your app’s security at all times. 

What is Code Obfuscation?

Code obfuscation is simply the method of modifying the source or machine code so as to make it difficult for attackers to read or comprehend it. While the functionality of the code remains the same, obfuscation helps coders in concealing the logic and purpose of the code effectively.

Generally, coders use a tool called an Obfuscator to carry out the obfuscation process. It simply converts the original code into some program that carries out the same functions but makes it nearly impossible for hackers to read or understand the logic of the code. Code obfuscation may also be carried out manually. Some basic steps in code obfuscation may include:

  • Encrypting some part of, or the entire code.
  • Changing the class or variable names to some vague labels.
  • Inserting some meaningless or unutilized code to the application binary.
  • Hiding or removing potentially sensitive metadata.    

How does Code Obfuscation Work?

The process of code obfuscation consists of some simple but reliable techniques. Together they can build a strong layer of defense and protect your code from attackers. We have listed some basic obfuscation techniques and also explained how they work:

1) Renaming Obfuscation: Renaming obfuscation, as the name suggests, changes the aliases of the important methods and variables. Without altering the program execution, this technique makes it harder for any human to understand the modified code. Even if attackers attempt to decipher the logic of the source code, they may have to be super attentive while looking out for elements and variable names.   

The modified names may have certain different naming schemes like a combination of letters, numbers or even unprintable or invisible characters. This code obfuscation technique is widely used for mobile application security while coding by a majority of Java, Android, iOS and .NET developers.

2) Control Flow Obfuscation: This form of code obfuscation simply entangles the control flow of the application code. In control flow obfuscation, a valid executable logic is produced using the traditional branching, conditional and iterative constructs. But, upon decompilation, the code would yield non-deterministic semantic results. 

This method makes it rather difficult for the hacker to break the logic of the decompiled code. However, employing control flow obfuscation may also result in degraded runtime performance.   

3) Instruction Pattern Transformation: In this method, the basic compiler instruction patterns are converted into certain different or vague constructs. Generally, these instructions are suitable for machine languages and map less cleanly with high-level languages like C# or Java. 

This technique is very commonly used during transient variable caching. Using this, overhead transient variables are removed from Java or .NET runtimes using their stack-based nature.

4) Dummy Code Insertion: Another way of code obfuscation is dummy code insertion where some dummy code is inserted into the executable. This insertion does not have any effect on the logic or the execution of the program and makes the reverse engineering of the code really difficult. 

5) Removal of Unused Code and Metadata: Reducing the amount of information that can be extracted from your code may restrict the activities of the attackers. This obfuscation method does the same. Here, pieces of unused code, debugging information, and unnecessary metadata are removed from the source code. Apart from ensuring security, this technique also enhances the runtime performance of the mobile app.   

6) Binary Linking/Merging: In this obfuscation technique, multiple libraries and other input executables are merged into one or more output binaries. When employed with renaming or pruning, linking can also make the size of the application smaller and ease up the deployment process. All of this reduces the information available to the attackers. 

7) Opaque Predicate Insertion: Often counted among some of the most secure coding practices, this method introduces irrelevant or incorrect code to confuse the hackers. The code would not be executed and make it difficult for the attackers to comprehend the decompiled output. 

This technique works by inserting conditional branches into the code. These branches always refer to some already known results that can’t be determined by code analysis methods.

8) Anti-Tamper: Anti-tamper obfuscation is another primary code protection methodology. Here, application self-protection is injected into the source code to prevent tampering. Whenever tampering is detected, the app performs certain custom actions like limiting its functionality, shutting itself down or invoking random crashes to signal the developers.  

9)Anti-Debug: Almost everything hackers do with a mobile app starts with debugging. Be it infiltrating or counterfeiting an app, stealing user data, altering the software infrastructure or anything else, it all begins with reverse engineering and employing a debugger. What anti-debug obfuscation does is that it injects a piece of code that detects if the app is being executed within a debugger. 

Whenever a debugger is used, the anti-debug Obfuscator corrupts data or invokes random crashes to protect user data and prevent debug checks. It may also signal the developers by sending a warning message.  

Open-Source Obfuscation Tools 

When it comes to selecting the best tool for carrying out code obfuscation, there are a plethora of options out there. There are numerous open-source obfuscation tools available as well. You can select any one of them depending on the use case you have at hand. Some of the well-known open-source code obfuscators include:  

  • Obfuscar: Released under MIT license, this open-source .NET obfuscator provides a bunch of facilities to secure code in .NET assembly.
  • Modifly: Modifly is a Java-based obfuscation tool capable of run-time transformations. It efficiently removes program semantics and performs string encryption as well.
  • ProGuard: This free to use Java class obfuscator optimizes bytecode and removes unused attributes, fields and classes to make the code compact and efficient. 
  • JavaScript Obfuscator Tool: This tool is another effective JavaScript obfuscator and through a series of transformations, it revamps your code into a new representation that is almost impossible to modify or understand. 

What is Remediation?

As the name suggests, remediation is simply the act of damage control. In the case of mobile app security, remediation basically consists of some reliable techniques which developers can implement to prevent attackers from infiltrating into their apps.

Generally, hackers gain insights into a mobile app through reverse engineering. Applying proper remediation techniques will not only make your app more complex but also pose hardships for hackers to crack its code. 

How does Remediation Work?

There are several remediation techniques that can enhance the complexity of your code and make reverse engineering difficult. Generally, if your app deals with high volumes of user data, you should consider applying anti-debug methods. 

Similarly, if you want to limit runtime manipulation by hackers, you should prefer using C or C++. C and C++ offer several libraries that can be easily integrated with Objective C and protect critical portions of the code. Tools like Class-Dump, Class-Dump-Z or Frida may be used by attackers to expose, manipulate or reverse engineer your app’s code. 

Generally, Android and iOS apps become more susceptible to such attacks because of their basic design. In the case of Android apps, you can avoid this by using JNI (Java Native Interface). And when it comes to iOS apps, you should prefer writing code portions in low-level C so as to avoid manipulation or reverse engineering.

Here we have mentioned some other common secure coding practices as well:

1) Restricting Debuggers: An attacker’s ability to interact or interfere with an application’s runtime may be reduced by preventing its attachment to any debugger. If this is ensured, an attacker has to first decipher the debugging restrictions before breaching into the app on a low level. 

In order to add this complexity to your mobile app, you may implement several methods. In the case of Android apps, developers should set ‘android: debuggable = “false”’ in the app manifest. This would prevent runtime manipulations and also the injection of malware. ‘PT_DENY_ATTACH’ may be used in the case of iOS apps. 

2) Trace Checking: If you are concerned about mobile application security while coding, you must consider the trace checking strategy. It is possible for a mobile app to check whether or not it is being tracked by a debugger or any other debugging tool. 

There are several ways of determining this like evaluating the parent process, checking the return value of ‘ptrace attach’, comparing timestamps on various instances of the program, checking process status flags or blacklisting debuggers. 

After checking for debuggers, the app may perform several defense actions in response like warning the server admins or discard encryption keys in order to secure sensitive user information.

3) Using Compiler Optimizations: On several occasions, your code may consist of advanced mathematical calculations and other complex logic. It is possible to hide them by employing compiler optimizations and obfuscating your object code. This would make matters rather difficult for hackers as they won’t be able to disassemble or understand the code. 

This can be easily achieved in Android apps by using the specialized libraries from the Native Development Kit (NDK). Moreover, using tools like LLVM Obfuscator may also assist in proving smoother machine code obfuscation.

4) Stripping Native Binaries: Stripping binaries is another effective remediation technique that strongly tests the nerves of an attacker. This technique can effectively enhance the time required and test the skill of the attackers while they try to grasp the structure and makeup of your mobile app’s low-level functions.

Stripping binaries remove the symbol table of the concerned binary and therefore, the attacker faces difficulty in debugging or reverse-engineering the app. However, stripping binaries does not remove object-mapping data in iOS or the classes in Objective-C. In the case of Android apps, methods used on GNU/Linux systems Sstrip or UPX may be used.     


Final Thoughts

In the upcoming years, security will definitely play a major role in differentiating one mobile app from the other. And that is why following secure coding practices with a focus on the elements of security becomes a necessity. Before any mobile app goes public, it must be ensured that it follows the basic security requirements. 

Strategic coding practices like obfuscation and remediation testing also have their own significance as they protect the core logic and purpose of the application’s code. All of these coding etiquette when combined together, will form an invincible arsenal that will never allow your mobile app to get defeated at the hands of attackers. 


Published on Jan 13, 2020
Subho Halder
Written by Subho Halder
Subho Halder is the CISO and Co-Founder of Appknox. He started his career researching Mobile Security. Currently, he helps businesses to detect and fix security vulnerabilities. He has also detected critical loopholes in companies like Google, Facebook, Apple, and others


Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now