Furthermore, the client on which the mobile application is installed and the server it is communicating with need a means through which they can trust each other. Most applications achieve this via certificate validation and certificate pinning, where trusted certificates are installed on the client. Also, the mobile operating system provides applications with a mechanism to predefine rules for secure network communication, such as Application Transport Security controls in the case of iOS. For example, the configuration “NSExceptionAllowsInsecureHTTPLoads,” which allows insecure communication over HTTP, should be limited to trusted domains.
When it comes to application data, applications should follow a zero trust approach with not only clients but the users as well. Users could make insecure decisions when dealing with sensitive data. For example, users may install and use third-party keyboards that could perform keylogging. Thus, by placing certain checks in the code, the application can secure user data from leaks. For example, the application can only allow the system keyboard for sensitive input fields such as passwords or not allow sensitive information from being copied by the user to the device clipboard.
As mentioned in the “Defense-in-depth” section, these libraries should be chosen after careful analysis of the implementation and potential default configurations. Some examples include ensuring that
- The certificate pinning library’s API for verifying the installed client certificates is not event-based
- Clipboard library APIs are not in use for sensitive data fields such as passwords
- Biometric authentication libraries provide configurable options and do not default to the device passcode after multiple failed attempts
In short, place extra attention to device settings and configurations. Ensure the library APIs are failsafe. Trusting third party libraries, certificates, or software with system wide access (keyboards, clipboards) is inherently risky. Communication should be limited to trusted servers and protocols (HTTPS).