Page tree
Skip to end of metadata
Go to start of metadata

Security Does Matter! Let’s learn about some useful security tips while making an app with Smartface.

Security is one of the most important parts of an application development process. Almost, all of the applications use or store sensitive data. These operations must be done in a secure way. Data security is like a chain, one mistake in the chain will effect all of the chain. All layers must be secure to make a secure system.

Mostly encountered mobile app vulnerabilities are:

  • Unsafe data transmission
  • Improper session handling
  • Invalidated user input
  • Unsafe local storage
  • Hardcoded password/hash
  • Logs

So what can we do to build a secure application? Security of an application is not enough by itself. The whole system must be secure. This can be defined in 3 parts:

  • Server
  • Network
  • Client

We will talk mostly about the client side. When you develop an application with the Smartface, we suggest you to take care of the points below:

1. Do not store everything

If you use network objects(XMLHttpRequest), commit your network related datasets as few as possible. Be sure that “Auto Commit” is not selected if you don’t need. Use commit only if you want to save data to local databases and use it later (Keeps even if you close the app).

2. InMemory Sqlite Tables

If you need to filter a dataset, you may have to commit. If there is sensitive data committed, you should use the InMemory table option. Therefore, the table will be kept in memory, but not stored locally. You can check the RunOnMemory option off the table to enable this feature. For more inforation about tables you can check the Table Guide.

3. Secure Tables and Columns

In order to keep sensitive data in secure, you can encrypt your data with your own encryption or open source JS cryptology libraries such as crypto-js.

4. Secure variables

Make your sensitive variables securely stored. 3. parameter of storeVariable function makes the variable encrypted.  For more information , please refer to Store Variables Guide.

SMF.setVariable("varA", "123", true, false);

5. Encrypt HTTP request/response parameters

Use encryption when you send and receive sensitive data with the HTTP objects(XMLHttpRequest ). You can check open source JS cryptology libraries such as crypto-js.

6. Use SSL

All networking operations should be done over SSL. 

7. Use hashes

When you create your own algorithms by making some string operations, use hashes at least two times (hash the hashed string) to harden your algorithm. Also time stamp, device unique identifiers and random numbers will make it stronger.

8. User inputs

Check all user input in case there are any injections or bad requests. Otherwise bad inputs may cause unhandled exception on the server side.

9. Logs

Logs should be disabled before distributing the app. That’s why Smartface core logs are disabled by default when you use a license while publishing. Logs can be used on the JS layer.

10. Obfuscation

Java codes can be decompiled easily. On the Android side Smartface uses obfuscation by design. You don’t need to do anything.

11. Certificate Management

For certificate management, Smartface imports the intermediary certificates from Mozilla certificatestore to the app, so application can connect any service using TLS/SSL.

12. Application protection

Core of Smartface is written in C++ and it can not be decompiled. For the portions written in Objective-C, the code has a similar structure and cannot be decompiled. For JavaScript and Java codes, code obfuscation is used to protect from decompiling. The application is hardened with secret keys used to obfuscate the code.

13. Data storage

For data storage in the app such as user name and passwords, SQLite database is encrypted and the developer can also use various encryption algorithms.

14. Dynamic private key

This approach can be used in the application with necessary coding, but the exact process must be decided on and the web servicesmust also be configured accordingly. The application is almost complete andthis would require some serious effort, so our recommendation is to decide onthe flow and then consider this development in the second phase.