Store and Encrypt Secrets in Your Mobile Apps' Protected Memory
With In-App Generated Seed and Smart Offline Handoff for Data at Rest Encryption, developers or other mobility, security or IT professionals can protect the data stored within a mobile app and seed it with an external secret, derived from a backend server or from user input. Appdome’s Storing in Protected Memory enable its users to protect those secrets by storing them in the mobile app encrypted memory.
This Knowledge Base article summarizes the steps needed to store those external secrets used by a mobile app in the app encrypted memory.
We hope you find it useful and enjoy using Appdome!
Mobile Apps Memory Vulnerability
Although the application’s memory is protected from other malicious applications using iOS and Android sandboxing, there are multiple cases when the memory is not protected:
- There are specialized kernels that remove memory protection
- In rooted mobile devices:
- (iOS) Users can use the function
vm_readto view the app memory.
- (Android) Users can view the app memory files under
- (iOS) Users can use the function
- Zero-day attacks
- Malicious dynamic reverse-engineering and debugging attempts on the app.
Most of those scenarios are covered by Appdome Jailbreak and Root Detection and Anti-Debugging protection. In addition, to fully protect and harden any mobile app data and secrets, Appdome developed Storing in Protected Memory solution.
About Storing in Protected Memory
Using a special technique Appdome store the sensitive data (secrets) and encrypt it in the process’s memory. The data will remain encrypted throughout the entire process’ runtime. When the application accesses this memory, it will manage to access the original data, while external access will read the encrypted data.
Due to the nature of encrypted memory, memory access takes longer than usual. For this reason, Appdome does not encrypt the entire process memory, but only the essential information that is generated from the application when enabling Appdome’s In-App Generated Seed and Smart Offline Handoff.
When Appdome stores those generated keys, it will be using encrypted memory, and the secrets will be protected. Notice that in order to fully protect the keys, the app developer is required to exercise responsible coding practices and wipe the secret from within the app code after passing it to Appdome. Otherwise, in case the application’s memory would be dumped, the secret will appear there. Remember – a chain is only as strong as its weakest link!
Appdome is a mobile integration platform as a service (iPaaS) that allows users to add a wide variety of features, SDKs, and APIs to Android and iOS apps. Using a simple ‘click to add’ user interface, Appdome allows anyone to easily implement storing in protected memory to any mobile app – instantly, no code or coding required.
Using Appdome, there are no development or coding prerequisites. For example, there is no Appdome SDK, libraries, or plug-ins to implement. Likewise, there is no requirement to implement data at rest encryption manually or encrypt the entire memory in order to protect the application secret. Using Appdome, mobile apps will have data at rest capabilities as if they were natively coded into the app. Except using Appdome, the integration takes less than a minute, and there’s no coding at all.
Prerequisites for Enabling Appdome’s Storing in Protected Memory
- Appdome account
- Appdome-DEV access
- Mobile App (.ipa for iOS, or .apk or .aab for Android)
- Follow the instruction in External Seed for Data at Rest Encryption or in Smart Offline Handoff to set your key.
How to Enable Storing in Protected Memory on Appdome
Follow these step-by-step instructions to enable Storing in Protected Memory to any mobile app.
Upload a Mobile App to Your Account
For External Seed:
From the “Build” tab, select Security
- Expand TOTALDataTM Encryption category
- Click on the toggle to enable Data at Rest Encryption
- Expand the Encryption Management sub-category:
- Click on the relevant toggle to enable In-App Generated Seed or Smart Offline Handoff
- Click on the toggle to enable Store in Protected Memory
- Click Build My App
The technology behind Build My App has two major elements – (1) a microservice architecture filled with 1000s of code sets needed for mobile integrations, and (2) an adaptive code generation engine that can recognize the development environment, frameworks and methods in each app and match the app to the relevant code-sets needed to add Store in Protected Memory ability to the mobile app in seconds.
Congratulations! You now have a mobile app fully integrated with Store in Protected Memory.
Storing in Protected Memory Example
We built an example app with Storing in Protected Memory. The app stores a string in protected memory and prints it.
Here is the application output. The data was printed correctly by the application:
However, when we look at the memory which stores it using lldb debugger, we can see the data is encrypted:
The encryption changes among executions, so when the application was executed again, the memory held different data:
What to do After I Build My App?
After you successfully Built an app, you need to sign the app in order to deploy it. You can also brand or customize a Fused app on Appdome. Read this Knowledge Base article to learn what to do after you successfully built an app. It explains both optional steps and required steps.
How Do I Learn More?
This topic expands on Data at Rest encryption, you can read more about it at Data at rest encryption for mobile apps
To zoom out on this topic, visit Appdome for Mobile App Security on our website.