Watch the webinar "Best Practices for Securing Your Mobile Apps" to get some tips and tricks on NativeScript security!
So let's fix this! I will give you an overview of how the native apps protect the code and data and how NativeScript does this.
It is really about this - protecting the application code and protecting the data that your applications uses and stores on the device. Let's start with the data part.
Companies and developers are often concerned to protect sensitive data. The rule of thumb here of course is not to store any data that is sensitive on the device.
get the data,
store the data on the device
iOS and Android provide a set of cryptographic APIs for use by applications. These APIs include implementations of standard and commonly used cryptographic primitives, such as Advanced Encryption Standard (AES), Rivest-Shamir-Adleman (RSA), Digital Signature Algorithm (DSA), and Secure Hash Algorithm (SHA). Additionally, APIs are provided for higher-level protocols, such as Secure Socket Layer (SSL) and HTTPS. To read more please follow these links - iOS KeyChain and Android KeyStore.
To store simple key/value data on the device you have access to the entire API available in the native frameworks. The SecureStorage plugin in NativeScript gives you a cross-platform way of using those APIs.
For larger data sets that are not simple key:value pairs, you will need a data storage that is queryable. For this case a very popular solution is the SQLCipher database. SQLCipher is an SQLite extension that provides transparent 256-bit AES encryption of database files. Pages are encrypted before being written to disk and are decrypted when read back. Due to the small footprint and great performance it’s ideal for protecting embedded application databases and is well suited for mobile development.
As you can see there is no difference between NativeScript and the native application frameworks in securing the data on the device. Your data in NativeScript is as protected as in a native application because you can use the same mechanisms and libraries to protect it.
In a recent survey, about 80% of the NativeScript developers shared that they want to protect their code.
This is true for native iOS and Android applications. Once the app package is downloaded the source code of the application can be seen. I will not go into details how the source code of the app can be seen, but there are enough free tools that can reverse engineer and display the code. The process is different for iOS and for Android, due to the huge difference in the way Java and Objective-C code is being compiled.
In iOS it is harder to read the code, the process is a little bit more complex, but again not impossible.
In Android the additional layer of security is provided by a tool called ProGuard. ProGuard is part of Android Studio and can obfuscate the Java code you are using so that it is harder to reverse engineer while, again, still not impossible.
As a rule of thumb you should not download code from the server and execute it, as this can easily become a security hole.
What can you do in NativeScript to protect the code?
The above scenario is most commonly used in web pages for protecting and optimizing the code running on the web.
If you implement the above technique you will achieve the same level of protection found on the web and in Android native apps.
The next level of protection that we can enable in NativeScript is code encryption. We already saw that there are native solutions for data encryption which you can use today.
We already have a POC solution for code encryption and in the next blog post I will go and deep dive what we have in experimental state. We are looking for community input so we can make this feature complete. If you are interested in playing with the POC of the encryption plugin today, please email me (firstname.lastname@example.org)
As an additional protection in NativeScript, logic can be added to your applications to prevent your mobile application from executing, if the framework detects part of your application has been compromised or modified by an attacker.. Imagine an attacker downloads your app packages and inserts code that bypasses authentication or any other logic. If this happened, the attacker could run the modified application on a rooted device to find/download sensitive personal or company data.
We are looking to implement an unauthorized application modification feature in NativeScript. So we can get the best implementation, we would like to solicit your feedback.