Security is continuously a top priority and gets significantly higher interest partly because of the GDPR regulation and more recently because of the Payment Directive Service 2 (PSD2) in the EU. It motivated us to publish a dedicated Tabris.js secure runtime page where we now present the main benefits of our secure mobile technology.
But the most exciting news is that Tabris technology proved to be a state-of-the-art solution for building secure native mobile apps. Our customer’s banking app won in app review for the German Banking Applications 2018 by CHIP Magazine. We also made significant progress and delivered a solution for the Payment Directive Service 2 (PSD2) requirements using advanced cryptography to ensure Strong Customer Authorization (SCA) process.
One attack that is difficult to protect against involves someone taking your application, decompiling it, changing it, and re-publishing it to the app stores. The attacker then tries to get users to install their modified version instead of your official one. A well-crafted app will still behave like the original so the user has no idea they are using a version that has been tampered with.
To protect against this, you can perform a check at runtime to see if the code you are executing matches your signing key. On Android, you can check the fingerprint of the signing certificate using
Code signing and verification is a mechanism used to ensure that the code being executed has not been tampered with. When the code is authored, a fingerprint is computed and that fingerprint is signed with a private key. At execution time, the same fingerprint is computed and the matching public key is used to verify that the signature matches. If the signature matches, then the code can be executed, otherwise the code is rejected with a security exception.
However, disabling apps on rooted phones is also a double-edged sword. Some people root their phones to install security patches, and in some cases, rooted phones may actually be more secure than stock installs. If you are going to perform root detection, think about your target audience and if this security measure actually makes sense for your app.
Feedback is welcome!Want to join the discussion?
Feel free to contribute!