Securing Data at Rest: Essential Strategies for Mobile Apps (iOS & Android)

1. Keychain (iOS) & KeyStore (Android):

• Purpose: Storing sensitive data such as authentication tokens, passwords, and encryption keys securely.
• Scenario: A banking app needs to store the user's authentication token securely to maintain the user’s login session. By using Keychain (iOS) or KeyStore (Android), the app can ensure that these tokens are stored securely with hardware-backed encryption, making it extremely difficult for malicious actors to extract them.
• Benefits: Hardware-backed encryption, strong key management.
• iOS: Use Keychain APIs for storing and retrieving items. Keychain services allow you to securely store small, sensitive pieces of data like passwords, tokens, and encryption keys.
• Android: Utilize the android.security.KeyStore class, The KeyStore class provides a secure container for cryptographic keys and their corresponding values. Here's how to utilize it:

2. Data Encryption:

• Purpose: Protecting sensitive data stored in files or databases to prevent unauthorized access. Transforming data into unreadable form to protect it from unauthorized access.
• Scenario: A messaging app stores messages on the device for offline access. By encrypting these messages using AES-256, the app ensures that even if the device is compromised or the storage is accessed by unauthorized individuals, the messages remain unreadable without the encryption key.
• Recommended Algorithm: AES (Advanced Encryption Standard), ideally AES-256.
• iOS: Leverage the Security framework for encryption/decryption.
• Android: Use the javax.crypto package and Cipher class.

3. Secure Shared Preferences

• Purpose: Storing simple key-value pairs securely, such as user settings or preferences.
• Scenario: A fitness tracking app needs to store the user's preferences and settings, such as units of measurement (miles vs. kilometers) and notification settings. By using EncryptedSharedPreferences (Android) or UserDefaults with NSFileProtectionComplete (iOS), the app ensures these settings are securely stored and protected from unauthorized access.
• iOS: Use UserDefaults with NSFileProtectionComplete for data protection.
• Android: Opt for EncryptedSharedPreferences instead of regular SharedPreferences.

4. File Protection in iOS:

• Purpose: Automatically encrypting files when the device is locked to protect sensitive data. Set the appropriate protection level using file attributes.
• Scenario: A health app stores sensitive medical reports on the device. By setting the file protection level to FileProtectionComplete, the app ensures that these files are encrypted and inaccessible whenever the device is locked, enhancing data security.
• Levels: FileProtectionComplete, FileProtectionCompleteUnlessOpen, FileProtectionCompleteUntilFirstUserAuthentication, FileProtectionNone.

5. SQLCipher (Both):

• Purpose: Encrypting SQLite databases to protect data at rest.

• Scenario: A note-taking app uses an SQLite database to store user notes. By integrating SQLCipher, the app ensures that all the data within the database is encrypted, protecting the notes even if the database file is extracted or the device is compromised.
• Benefits: Protects data even if the database file is extracted.

6. Secure Environmental and SDK Keys

Storing SDK keys locally on devices or storing them in plain text configuration files (e.g., gradle.properties for Android, .plist or .xcconfig for iOS) makes them vulnerable to reverse engineering and unauthorized access.

• Solution

1. Fetch SDK keys dynamically from secure cloud services, reducing the risk of exposure and allowing for easier key rotation. As an example one can consider using Firebase Remote Config or Optimizely to implement this approach.

2. Implement secure methods for managing and injecting SDK keys during the build process to avoid exposing them in your codebase or configuration files.

2.1 Keeps sensitive keys out of the source code: Store SDK keys in environment variables and reference these variables in your build configuration. This keeps sensitive keys out of the source code and minimizes the risk of exposure.

2.2 Integrate Keys into CI/CD Integration: Integrate these keys into your Continuous Integration/Continuous Deployment (CI/CD) pipelines. Ensure that environment-specific keys are injected securely during the build process, tailored to development, staging, or production environments.

2.3 Encrypted and Restricted Build Environment: Ensure that your build environment is secure, with encrypted storage and restricted access to sensitive data. Use secure communication protocols for transferring keys and sensitive information during the build process.

7. Use Native Development Kit (NDK) for Android

Writing critical code in C/C++ using NDK makes reverse engineering more difficult compared to Java/Kotlin.

Key Principles:

• Never store sensitive data in plain text.
• Always encrypt sensitive data before storing it.
• Manage encryption keys securely using Keychain/KeyStore.
• Choose the right storage mechanism for each type of data.