How to Store Encrypted Secrets in Android & iOS Memory
Learn 4 Easy Steps to Store Encrypted Secrets in Android & iOS Memory. Protect app secrets in encrypted memory. No Code, No SDK, Continuous Security.
With In-App Generated Seed and Smart Offline Handoff for Data at Rest Encryption, you can store and encrypt secrets in protected memory and seed it with an external secret. The secret can be derived from a backend server or from user input. Appdome’s Storing in Protected Memory enables you to protect those secrets by storing them in the mobile app encrypted memory.
This Knowledge Base article summarizes the steps needed to store those external secrets used by a mobile app in the app encrypted memory.
We hope you find it useful and enjoy using Appdome!
Why Store Encrypted Secrets in Android & iOS Memory
Although the application’s memory is protected from other malicious applications using iOS and Android sandboxing, there are multiple cases when the memory is not protected:
- There are specialized kernels that remove memory protection
- In rooted mobile devices:
- (iOS) Users can use the function
vm_read
to view the app memory. - (Android) Users can view the app memory files under
/proc/<pid>/mem
- (iOS) Users can use the function
- Zero-day attacks
- Malicious dynamic reverse-engineering and debugging attempts on the app.
Most of those scenarios are covered by Appdome Jailbreak and Root Detection and Anti-Debugging protection. In addition, to fully protect and harden any mobile app data and secrets, Appdome developed Store in Protected Memory solution.
About Encrypted Memory
Using a special technique, Appdome stores the sensitive data (secrets) and encrypts it in the process’s memory. The data will remain encrypted throughout the entire process’ runtime. When the application accesses this memory, it will manage to access the original data, while external access will read the encrypted data.
Due to the nature of encrypted memory, memory access takes longer than usual. For this reason, Appdome does not encrypt the entire process memory, but only the essential information that is generated from the application when enabling Appdome’s In-App Generated Seed and Smart Offline Handoff.
When Appdome stores those generated keys, it will be using encrypted memory, and the secrets will be protected. Notice that in order to fully protect the keys, the app developer is required to exercise responsible coding practices and wipe the secret from within the app code after passing it to Appdome. Otherwise, in case the application’s memory would be dumped, the secret will appear there. Remember – a chain is only as strong as its weakest link!
Appdome is a mobile integration platform as a service (iPaaS) that allows users to add a wide variety of features, SDKs, and APIs to Android and iOS apps. Using a simple ‘click to add’ user interface, Appdome allows anyone to easily implement storing in protected memory to any mobile app – instantly, no code or coding required.
Using Appdome, there are no development or coding prerequisites. For example, there is no Appdome SDK, libraries, or plug-ins to implement. Likewise, there is no requirement to implement data at rest encryption manually or encrypt the entire memory in order to protect the application secret. Using Appdome, mobile apps will have data at rest capabilities as if they were natively coded into the app. Except using Appdome, the integration takes less than a minute, and there’s no coding at all.
Prerequisites to store and encrypt secrets in Protected Memory
- Appdome account
- Appdome-DEV access
- Mobile App (.ipa for iOS, or .apk or .aab for Android)
- Follow the instruction in External Seed for Data at Rest Encryption or in Smart Offline Handoff to set your key.
How to Store and Encrypt Secrets in Protected Memory
To enable Storing in Protected Memory to any mobile app:
- Follow these steps to add a mobile app to your Appdome account.
- Go to Build > Security.
- Expand TOTALDataTM Encryption category and enable (toggle On) Data at Rest Encryption.
- Expand Encryption Control.
- Click on the relevant toggle to enable In-App Generated Seed or Smart Offline Handoff.
- Enable Store in Protected Memory.
- Click Build My App
Congratulations! You now have a mobile app fully integrated with Store in Protected Memory.
Storing in Protected Memory Example
We built an example app with Storing in Protected Memory. The app stores a string in protected memory and prints it.
Here is the application output. The data was printed correctly by the application:
However, when we look at the memory which stores it using lldb debugger, we can see the data is encrypted:
The encryption changes among executions, so when the application was executed again, the memory held different data:
No Coding Dependency
How to Sign & Publish Secured Mobile Apps Built on Appdome
After successfully securing your app using Appdome, there are several available options to complete your project, depending on your app lifecycle or workflow. These include:
- Signing Secure iOS and Android apps
- Customizing, Configuring & Branding Secure Mobile Apps
- Deploying/Publishing Secure mobile apps to Public or Private app stores
Or, see this quick reference Releasing Secured Android & iOS Apps built on Appdome.
How To Learn More?
This topic expands on Data at Rest encryption, you can read more about it at Data at rest encryption for mobile apps
Check out the full menu of features in the Appdome Mobile Security Suite
If you have any questions, please send them our way at support@appdome.com or via the chat window on the Appdome platform.
Or request a demo at any time.
Thank you!
Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.