-
My response:
For your first question about allowing access to your app from jailbroken devices: there are some mechanisms you can use to block the app from running if it detects a jailbroken device, but I don’t think there is a 100% full proof way of doing that. So, it should be a layer of defense, combined with other better layers. Because no, ideally, you should not allow jailbroken devices to run your, especially if it contains sensitive information app.
I found a good resource that discusses detecting jailbroken devices: https://www.cryptomathic.com/news-events/blog/application-hardening-for-mobile-banking-apps-root-and-jailbreak-detection. They have some other resources and blog posts that may be useful in answering some of your other questions.
Otherwise, I’m not sure if you’ve gotten to that part in my Intro to AppSec course yet or not (or if you already know of it), but the OWASP MASVS comes in very handy here. The level that you’ll want to aim for depends on your application and organization. For example, if you were dealing with a banking app, you’d probably want to aim for Level 2 + Resiliency.
Here are requirements recommended by the MASVS, some of which help answer your other questions:
- Resilience – https://mobile-security.gitbook.io/masvs/security-requirements/0x15-v8-resiliency_against_reverse_engineering_requirements
- Data storage – https://mobile-security.gitbook.io/masvs/security-requirements/0x07-v2-data_storage_and_privacy_requirements
- Cryptography – https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements
- Network communication – https://mobile-security.gitbook.io/masvs/security-requirements/0x10-v5-network_communication_requirements
They don’t necessarily provide all of the answers as to “how” you achieve the requirements, but at the very least it gives you a good checklist.
In terms of key management, hopefully these articles give helpful insights:
- https://www.cryptomathic.com/news-events/blog/secure-storage-and-key-protection-for-mobile-banking-and-payment-apps
- https://medium.com/hackernoon/they-reverse-engineered-16k-apps-heres-what-we-d-fix-67e9eeceefb5 (The idea: Using a 3rd party API proxy can help reduce the number of keys on the mobile device)
- https://hackernoon.com/mobile-api-security-techniques-682a5da4fe10