Mobile Security is Different
Unlike web applications where code runs behind a secure firewall, mobile app code is downloaded directly onto the user’s physical device. Attackers can decompile your binary, inspect its logic, and run tests locally. Securing mobile applications requires specific client-side defenses.
1. Avoid Hardcoded Secrets
Never store API keys, private keys, or passwords inside your mobile source code. Attackers can extract them using reverse engineering tools like JADX or class dumpers.
2. Insecure Data Storage
Avoid storing sensitive data (like authentication tokens or personal info) in plain text files, local storage, or shared preferences. Instead, use OS-level secure storage:
- iOS: Keychain Services.
- Android: EncryptedSharedPreferences (Keystore system).
// Example of Android EncryptedSharedPreferences initialization
MasterKey masterKey = new MasterKey.Builder(context)
.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
.build();
SharedPreferences sharedPreferences = EncryptedSharedPreferences.create(
context,
"secure_prefs",
masterKey,
EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
);