Adopting Secure Engineering Techniques

[Wogiebear]

Overview

As part of risk assessment for ISO 27001, the question was asked: "Does the development of the Software Application follow Secure Engineering Techniques?"

This identifies a risk of tampering and hacking of the phone app.

Control

To control this risk, we must investigate and adopt some techniques from the general principles of Secure Engineering Techniques.

This site lists several things we should do:

• [x] Verifying your app's signing certificate at runtime
• [ ] Verifying the installer
• [x] Environment checks
  • [x] Techniques for detecting emulators
  • [x] Detect Debuggable mode
• [ ] Use Proguard or DexGuard (from https://www.guardsquare.com/)
• [ ] SSL pinning (subject to certificate)

This site also lists several techniques for guarding the app. These may need server changes.

[otormaigh]

Some of these requests have been add in Pull Request #16

Some of the new implmented features are currently disabled because they would hinder development.

Additions:

• Adds ability for app to check if it is running on an emulator.
• Adds ability for app to check if the MD5 sum of the certificate it was signed with matches with the relevant credentials (I think it would be a good idea to have this valid MD5 hash not stored on the device but to do a POST to the backend with the MD5 the app received and let the backend verifiy it with its local copy and return true/false depending on the outcome.)
• Adds ability for app to check if it is running in debuggable mode.