The Guardsquare Community was created to provide an open and collaborative environment where both Guardsquare experts and app developers can share and learn from each other. It was also designed to be a central resource for ProGuard support and related open source and free tools.
Over the past year, we have seen the Community come together and support each other in ways that have been truly inspiring. It encouraged us to host an Ask Me Anything event to give Community members direct access to our Product Managers to have a discussion around mobile app security.
And, in the spirit of helping developers address the daunting challenges of protecting their mobile apps in the face of a constantly evolving threat landscape, we invited conversation around not just our free tools, but around our commercial products as well. After all, a significant benefit of not implementing your own mobile security is partnering with a company that prioritizes constant innovation.
We learned a lot during the Ask Me Anything, especially around the value of working more closely with the Community to ensure we’re effectively educating app developers around successfully hardening mobile applications. We also recognized a significant interest in an open discussion, so in addition to encouraging continuous feedback and engagement in the Community throughout the year, we are planning to host additional Ask Me Anything sessions, as well.
Here are a few questions — and the answers our team provided — from our most recent Ask Me Anything event.
Question: Almost every mobile application communicates with the backend. To have a secure communication, we most often rely on certificate pinning along with HTTPS. But, because the certificate validations are handled in Mobile SDK, which is distributed to partners and app developers, handling the certificate expiration is becoming challenging.
What would be the best practice for handling certificate expiration scenarios within Mobile SDKs?
Answer: Though applying certificate pinning in combination with HTTPS is definitely a good approach to secure your communication when it’s in transit against man-in-the-middle (MiTM) attacks, it won’t necessarily protect your communication against man-at-the-end (MaTE) attacks. This is because a threat actor using your app can easily understand the protocol and discover the sent data once the TLS ends, and all data fields sent by the server reside unencrypted in the app.
On your question about the best practice for handling certificate expirations, the standard answer is to rotate your certificates before the expiration date, by temporarily allowing both the old and new certificates to connect to your backend. For an SDK, this might be challenging since you don’t have full control on when the apps that use your SDK will release with your latest version.
A good additional practice would be to sunset older versions of your SDK on a regular basis (and consider only actively supporting the last three releases). This would require your users to upgrade. A bonus: This also forces MaTE attackers to restart their reversing efforts.
Question: I was wondering which is the safest flow for OpenID connect and how iXGuard can help strengthen security of client secrets.
Answer: With respect to which flow to follow, I’d suggest you consult objective references, like Okta Developer. In this case, specific to mobile, it would be the PKCE flow.
Coming to the second part of your question, OpenID is very similar to the OAuth flow; you’d only get an ID token generated at the end.
Your first line of defense should probably be the proper implementation of TLS combined with SSL pinning, to mitigate interception by a MiTM. But you should go beyond this line since your clients will still remain vulnerable to MaTE attacks. This is where tools like iXGuard (for iOS) or DexGuard (for Android) come into the picture. By using their runtime application self-protection (RASP) capabilities, they can detect any integrity violations toward your app while it’s running, and make it crash randomly upon detection. This guarantees that no one can attach a debugger and read out the app’s memory to intercept any traffic after TLS has ended (all data has been decrypted), or to identify the ID token.
Other RASP methods, like the resigning check, ensure the app installed on the end user’s device hasn’t been tampered with. This is why you really need to apply SSL pinning in combination with hardening your mobile app.
An additional layer of defense might include a mechanism, like app attestation, to guarantee that only genuine clients can connect to the server. You might even want to go one step further by considering obfuscation of your protocol.
Question: I would like to know a little bit about the near future of the solutions that you’re providing!
Right now, we (me and my team) are using the AppSweep version for Android. Will this expand to iOS soon? Or will it be restricted to Android?
Also, about DexGuard/iXGuard, are there plans to support Flutter?
Answer: For AppSweep, we definitely intend to cover iOS in the future, but right now, we’re focused on ensuring that we deliver the best mobile application security testing tool for Android. We want to be sure it’s fast, that the UX is intuitive for developers, and that the findings we produce are relevant and actionable. So, for now, our roadmap is focused on perfecting our Android mobile app security testing tool and continually improving the product. As we move into next year, we’ll start planning support for iOS, so stay tuned; we will get to it and you’ll be the first to know when we do!
With regard to Flutter, we delivered a closed Beta for some of our customers to allow them to protect their apps developed with Flutter. We started the beta in August to initially support Android-based apps and we recently added iOS support. Based on Beta user feedback, we’re finalizing our plan for the GA release of Flutter support.
The biggest takeaway from our Ask Me Anything is that we are continuing to see that mobile app developers are always looking for ways to enhance performance while ensuring a smooth and secure user experience. From how to best handle certificate expiration scenarios to preparing for Flutter support, the Community provides an environment that allows for greater collaboration to continuously improve.
We encourage you to continue the discussion outside of this Ask Me Anything. Our team is ready to listen and engage.