Cybreach Consulting Prendre RDV
Back to articles
Vulnerabilities

Mobile security: local storage, APK signatures, ATS and root detection

Mobile applications share many vulnerabilities with web applications but present additional attack surfaces. The attacker can download the APK or IPA, decompile it to analyse the code, instrument execution, modify the binary, and test on a rooted or jailbroken device. The threat model is different: the user themselves may be the attacker.

Insecure local storage

Applications sometimes store sensitive data in plaintext in locations accessible on a rooted device. On Android: unencrypted SharedPreferences (accessible to root), unencrypted SQLite databases, files in external storage (/sdcard/, accessible to all apps with permission). On iOS: unencrypted files in the sandbox (accessible via iTunes Backup), NSUserDefaults containing tokens.

Solution: use Android Keystore or iOS Keychain for sensitive data (tokens, keys). Don't store passwords or session tokens in plaintext. Encrypt SQLite databases (SQLCipher).

App Transport Security (iOS)

App Transport Security (ATS) is the iOS policy that enforces HTTPS connections with strict TLS parameters. Exceptions in Info.plist can weaken this protection. NSAllowsArbitraryLoads: true entirely disables ATS for the application, allowing unencrypted HTTP connections. Per-domain exceptions (NSExceptionDomains) can also disable certificate verification.

APK signing and binary protection

APK signing guarantees the application's integrity and authenticity. Android supports schemes v1, v2, v3, and v4. Scheme v1 alone is insufficient (vulnerable to the Janus attack). The application must be signed with at minimum v2. Binary protection (obfuscation, anti-decompilation) slows analysis by an attacker but doesn't replace a secure architecture: secrets must not be in the binary.

Root and jailbreak detection

Rooted (Android) or jailbroken (iOS) devices allow bypassing sandbox protections, reading application files, and intercepting communications. Detecting these states allows alerting the user or blocking certain sensitive features. Detection techniques include checking for specific files (/bin/su, /Applications/Cydia.app), checking write permissions outside the sandbox, and detecting instrumentation frameworks (Frida, Xposed).

Exported Android broadcast receivers

Android components (activities, services, broadcast receivers) declared with exported=true are accessible to other applications. An exported broadcast receiver that handles sensitive actions can be invoked by a malicious application installed on the same device. Verify that all exported components are either protected by a permission or designed to handle non-sensitive data.

Background screenshots

iOS and Android capture a screenshot of the application when it goes to background, for display in the task manager. If the screen shows sensitive data (bank balance, medical information, tokens), this screenshot can be accessed on a rooted device. The solution: clear or obscure the screen before going to background.

A question after reading?

Want to audit your mobile application? Send a message.

Or book a 30-minute scoping call directly

Book a call