Skip to main content

How to secure Cordova based hybrid Android mobile app?

The incident I'm sharing here was happened in 2015, when we faced a complicated technical problem while working on an IoT project. 

We were having a mobile app to control smart electronic appliances that consumes our web-service. A third party group somehow managed to use our mobile app with their service. We assume that they had reverse engineered to crack the services. So we had to protect our mobile app which was Cordova based hybrid cross-platform app. 

I have been allocated to analyse this issue and propose a solution. So during my initial analysis I found that first we should secure the mobile application installer because Android's .apk installation file usually packaged together all the resource files used in the hybrid project. Crackers could reverse engineer it to get those files. I know that we can ensure protection only by increasing the level of security.

So I minified all the files, bundled together and applied obfuscation over it; which made hybrid portion bit more secure. After this I used Arxan to protect the mobile app at binary level.

The next step was to ensure the service authenticity; for which I'd used session based synchronous incremental token validation system on app level and get it implemented on a web-service layer to support it.

The outcome was that our app become much more secure & protected. It took few releases till all the users updated the app. Now the third party has stopped supporting our app as we don't see any cross origin requests in our logs.

From this incident we learned that usually we think that the project is at startup level, so they don't worry much about security and protection of the project initially. But with time project grows, it becomes more vulnerable. So we should always keep in mind the basic things like security; during the startup phases.

Now I use this app protection technique in all other enterprise level apps and try to get it implemented during the startup phase.

Comments

Popular posts from this blog

Unlock protected blocks in Siemens SIMATIC Step 7

Recently I'd been called by Hindalco's Fabrication Plant division to unlock the protected blocks in Siemens SIMATIC Step 7. They were in need to unlock those blocks since an year because of 1 million Rupees of loss per month. They want to re-program those blocks but it was locked by the man who'd done the setup. From the people working in that department, I came to know that they were trying to call that man (someone from Italy) right here but he's not coming. Actually, what he'd done was that he'd locked some of the blocks and deleted the source file. And Siemens didn't provide any feature to unlock. Department people also told me that even the people working in Siemens don't know how to do it. Being a software engineer I know that any thing can be reverse engineered. So I took up the challenge. How did I unlocked the blocks? The first thing I'd done was searched about this software at Google and read about what is this software all about. Aft

App: Calculate your job experience or age in years

Usually, all of those who works have to put years of experience on their resume or curriculum vitae. But 90% people put it wrong when they convert their experience in years only. Although they know the exact number of months and years but the conversion, they do is wrong. This happens because there are 12 months while the digit after decimal would be 0-9, i.e., 10 digits. Which means that we have to represent the number of months in terms of year. So here I have provided a small gadget to calculate it. Just put the date when you had started working in the From Date field and put current date in the To Date field. You can also calculate your age as well with this tool by putting your date of birth in the From Date field and put current date in the To Date field. As an alternative, you can use the hassle-free and simple to use  Date Differentiator  micro webapp. Bookmark it so you may easily access it later.

How to convert JIRA story into sub-task or defect?

Many times we entangled in the situation where we have made a  story  in JIRA but later on realised that it should have to be  defect  or in other case,  sub-task  of another  story . Story → Sub-task So the workaround for converting the story into defect is given below: Open your  story Click on  more  option Click on the  Convert to sub-task  option in the dropdown You would be asked to choose  Parent  story, so chose relevant story After submit, your  story  gets converted into  sub-task Story → Defect Now if you want the story to be converted into defect, then you should first convert it into sub-task. Thereafter, you can convert that sub-task into defect as given below: Open the  sub-task Click on  more  option Click on the  Convert to issue  option in the dropdown You would be asked to fill up relevant fields required for raising a  defect , fill them up as required After submit, your  sub-task  gets converted into  defect .