We have built an official app that is available on Google and Apple stores. Our security team has run a scan of the app to identify any security threats or vulnerabilities. We have been able to fix most of the issues they pointed out. However, there are few issues that we are stuck with and we are not sure how we can fix them using Corona SDK. Your help in this matter will be greatly appreciated.
- Insecure data storage
“Insecure data storage vulnerabilities occur when development teams assume that users or malware will not have access to a mobile device's filesystem and subsequent sensitive information in data-stores on the device. Filesystems are easily accessible. Organizations should expect a malicious user or malware to inspect sensitive data stores. Rooting or jailbreaking a mobile device circumvents any encryption protections. When data is not protected properly, specialized tools are all that is needed to view application data.”
In our app, we are using WebView to access our organization’s Single Sign On page for authentication. This page sets up some cookies that are stored in the data folder of the app in the device by Corona. The cookie file can easily be read by other apps and they can steal the critical authentication information. Can this cookie file be made secure by providing some password protection?
- Information gets cached in iOS snapshot section
“In order to provide the visual transitions in the interface, iOS has been proven to capture and store snapshots (screenshots or captures) as images stored in the file system portion of the device NAND flash. This occur when a device suspends (rather than terminates), when either the home button is pressed, or a phone call or other event temporarily suspends the application. These images can often contain user and application data, and in one published case contained the user’s credit card information, his properties details and his personal details. Pressing the iPhone/iPad home button shrinks the iOS application and moves it to the background with a nice effect. To create that shrinking effect, iOS takes a screenshot of the application and stores it in the Library/Caches/Snapshots folder in the respective application’s home directory. This might result in storing the user’s sensitive information on the device without user’s knowledge. Snapshots stored on the iPhone will automatically clear after the device is rebooted. An attacker can get access to sensitive details in case the device is compromised.”
We tried using system events such as applicationSuspend to hide any critical information being displayed on the screen. However, it still shows a snapshot of the last screen that was visible. Is there a way we can blur the app or hide some section of the app when the app user presses the Home button?
- Backup flag not set to false in Android
“The Android operating system offers a backup/restore mechanism of installed packages through the ADB utility. By default, full backup of applications including the private files stored in /data is performed, but this behavior can be customized by implementing a Backup Agent class. This way applications can feed the backup process with custom files and data. Attacker can get sensitive information from back file of the application. “
We tried adding following code in the Android section of build.settings but it didn’t work.
Is there a way we can set the Backup Flag to false in the build.settings?
- Application works on rooted/jailbroken devices
“Rooted/Jailbroken devices can have malicious applications guided by attackers to take sensitive information from other installed applications. An adversary can take advantage of this to perform malicious activity. An attacker can take advantage of this to perform malicious activity like stealing of data from local storage, sniffing traffic and sending it to malicious domain. ”
Can we block execution on rooted/jailbroken devices?