Security Does Matter! Let’s learn about some useful security tips while making an app with Smartface.
Security is one of the most important parts of an application development process. Almost, all of the applications use or store sensitive data. These operations must be done in a secure way. Data security is like a chain, one mistake in the chain will effect all of the chain. All layers must be secure to make a secure system.
Mostly encountered mobile app vulnerabilities are:
- Unsafe data transmission
- Improper session handling
- Invalidated user input
- Unsafe local storage
- Hardcoded password/hash
So what can we do to build a secure application? Security of an application is not enough by itself. The whole system must be secure. This can be defined in 3 parts:
We will talk mostly about the client side. When you develop an application with the Smartface, we suggest you to take care of the points below:
1. Do not store everything
If you use network objects(XMLHttpRequest), commit your network related datasets as few as possible. Be sure that “Auto Commit” is not selected if you don’t need. Use commit only if you want to save data to local databases and use it later (Keeps even if you close the app).
2. InMemory Sqlite Tables
If you need to filter a dataset, you may have to commit. If there is sensitive data committed, you should use the InMemory table option. Therefore, the table will be kept in memory, but not stored locally. You can check the RunOnMemory option off the table to enable this feature. For more inforation about tables you can check the Table Guide.
3. Secure Tables and Columns
In order to keep sensitive data in secure, you can encrypt your data with your own encryption or open source JS cryptology libraries such as crypto-js.
4. Secure variables
Make your sensitive variables securely stored. 3. parameter of storeVariable function makes the variable encrypted. For more information , please refer to Store Variables Guide.
5. Encrypt HTTP request/response parameters
6. Use SSL
All networking operations should be done over SSL.
7. Use hashes
When you create your own algorithms by making some string operations, use hashes at least two times (hash the hashed string) to harden your algorithm. Also time stamp, device unique identifiers and random numbers will make it stronger.
8. User inputs
Check all user input in case there are any injections or bad requests. Otherwise bad inputs may cause unhandled exception on the server side.
Logs should be disabled before distributing the app. That’s why Smartface core logs are disabled by default when you use a license while publishing. Logs can be used on the JS layer.
Java codes can be decompiled easily. On the Android side Smartface uses obfuscation by design. You don’t need to do anything.
11. Certificate Management
For certificate management, Smartface imports the intermediary certificates from Mozilla certificatestore to the app, so application can connect any service using TLS/SSL.
12. Application protection
13. Data storage
For data storage in the app such as user name and passwords, SQLite database is encrypted and the developer can also use various encryption algorithms.
14. Dynamic private key
This approach can be used in the application with necessary coding, but the exact process must be decided on and the web servicesmust also be configured accordingly. The application is almost complete andthis would require some serious effort, so our recommendation is to decide onthe flow and then consider this development in the second phase.