Tuesday, January 21, 2020

How to secure Cordova based hybrid Android mobile app?

The incident I'm sharing here was happened in 2015, when we faced a complicated technical problem while working on an IoT project. 

We were having a mobile app to control smart electronic appliances that consumes our web-service. A third party group somehow managed to use our mobile app with their service. We assume that they had reverse engineered to crack the services. So we had to protect our mobile app which was Cordova based hybrid cross-platform app. 

I have been allocated to analyse this issue and propose a solution. So during my initial analysis I found that first we should secure the mobile application installer because Android's .apk installation file usually packaged together all the resource files used in the hybrid project. Crackers could reverse engineer it to get those files. I know that we can ensure protection only by increasing the level of security.

So I minified all the files, bundled together and applied obfuscation over it; which made hybrid portion bit more secure. After this I used Arxan to protect the mobile app at binary level.

The next step was to ensure the service authenticity; for which I'd used session based synchronous incremental token validation system on app level and get it implemented on a web-service layer to support it.

The outcome was that our app become much more secure & protected. It took few releases till all the users updated the app. Now the third party has stopped supporting our app as we don't see any cross origin requests in our logs.

From this incident we learned that usually we think that the project is at startup level, so they don't worry much about security and protection of the project initially. But with time project grows, it becomes more vulnerable. So we should always keep in mind the basic things like security; during the startup phases.

Now I use this app protection technique in all other enterprise level apps and try to get it implemented during the startup phase.

No comments:

Post a Comment