4. Mobile application security
The OutSystems low-code platform is purposely designed to meet the demands of mobility. Recognizing the significance of mobile applications in today's enterprise environment, our platform offers dedicated mechanisms and best practices to ensure that your mobile applications align with the latest and most stringent mobile security guidelines.
When it comes to mobile security, the single most important principle to consider is that any mobile device can be compromised. All efforts should, therefore, be focused on keeping your data safe and your secrets secret.
Table of contents
Mobile app security principles supported by OutSystems
Here are a few security principles that are directly supported by OutSystems capabilities:
Two important security checks should be applied to the device itself to make it harder for attackers to gain unauthorized access to your app. First, apps should check whether the device has privileged access as a result of being rooted or jailbroken. Second, the app should check that the device has a security lock mechanism such as a pin, pattern, or passcode. Jailbreak and root protections are a part of the many security protections included in OutSystems AppShield, an add-on bundle that adds even more layers of security to mobile applications.
While consumer apps are distributed by official app stores (iTunes App Store, Google Play), for employee (B2E) applications, this is usually not the case. Instead, these apps are distributed using an enterprise app store where security policies can be implemented to control user access. Mobile app management (MAM) tools, whether standalone or part of an Enterprise Mobility Management (EMM) suite, provide these capabilities and allow their customers to brand their enterprise store apps with their logo and color schemes. OutSystems provides an app that can be easily extended to implement MAM functionality, allowing users to access a catalog of apps that match their user profile and install them on their device.
When a device is stolen or an employee leaves the company, you need to take action. Removing user access is not enough–most of the time–because the app is still installed on the user’s device and data may still be stored locally. You can use the device plugin that is present in every native app created with OutSystems and store the device’s UUID to manage the devices and users of your applications. You can also implement safety mechanisms in the application to remove any data stored locally when the device is blacklisted, either because it was reported stolen or because the employee left the company.
If you are using a mobile device management (MDM) or MAM, this becomes easier as most of these include tools to perform remote app removal and remote data wiping.
Mobile-specific capabilities and plugin
Modern-day cyber threats, including "person-in-the-middle" attacks, repackaged apps, code injections, compromised devices, and lost or stolen devices, weigh heavily on the minds of CISOs.
In response to those threats, OutSystems provides AppShield, a licensed add-on available from the Forge, engineered to protect mobile applications against the most sophisticated, malicious attacks. AppShield lets customers harden the protection of native Android and iOS apps. It automatically adds additional layers of security during deployment to make applications more resistant to intrusion, tampering, and reverse engineering. AppShield integrates with the OutSystems Mobile Apps Build Service and adds app protection at runtime and rest.
AppShield is simple to implement and developers can easily put it in place via drag and drop in the IDE. It does not require any kind of coding expertise and can be activated in a couple of minutes. AppShield replaces the need to add external tools for the same job that could take weeks or months to implement and it prevents:
- Compromised devices: Hackers gaining access to unpermitted areas of an app.
- Repackaging of apps: Infected versions of popular apps that are re-released to the public.
- Code injection: Introducing malicious code into an app.
- Lost/stolen devices: Hackers gaining access to sensitive data via lost or stolen devices.
To ensure optimal security fpr the users of an app, OutSystems offers continuous updates to its AppShield add-on. Additionally, to provide an extra layer of protection, OutSystems highly recommends leveraging a range of supported plugins available in the Forge:
- SSL Pinning Plugin: Provides an extra layer of security to HTTPS communications to avoid, for example, person-in-the-middle attacks. SSL Pinning works client-side and verifies the server certificate by comparing hashes of public keys that are pre-bundled with the mobile app.
- Ciphered Local Storage Plugin: Enables you to keep your mobile application's sensitive data safe using a ciphered Local Storage database.
- Key Store Plugin: Allows your application to securely store secrets such as usernames, passwords, tokens, certificates, or other sensitive information (strings) on iOS and Android phones.