A Cybr member reached out the other day via email with some questions that I felt would be interesting and helpful to others as well. So with his permission, I’m posting it here with anonymization and details stripped out.
I’ve been working on a mobile application and have a few questions.
Is it safe to allow users with jailbroken devices to access the app? Is it safe for the users?
Is it safe for 3rd party secret keys that we store in the app? Like integration keys that use SDKs? How can we protect those keys from things like reverse engineering attacks
Wouldn’t allowing jailbroken devices to use the app circumvent a lot of our security controls and expose things like those keys?
For your first question about allowing access to your app from jailbroken devices: there are some mechanisms you can use to block the app from running if it detects a jailbroken device, but I don’t think there is a 100% full proof way of doing that. So, it should be a layer of defense, combined with other better layers. Because no, ideally, you should not allow jailbroken devices to run your, especially if it contains sensitive information app.
Otherwise, I’m not sure if you’ve gotten to that part in my Intro to AppSec course yet or not (or if you already know of it), but the OWASP MASVS comes in very handy here. The level that you’ll want to aim for depends on your application and organization. For example, if you were dealing with a banking app, you’d probably want to aim for Level 2 + Resiliency.
Here are requirements recommended by the MASVS, some of which help answer your other questions: