Mobile application security
Mobile apps introduce new threat vectors and often work as a gateway for attackers. That’s why mobile apps security should mitigate specific risks & threats, and be aligned with the security of backend infrastructure.
Mobile platform landscape is constantly changing: Apple and Google introduce new privacy & security requirements, and the dev community moves from framework to framework (React Native, Dart / Flutter, Xamarin). Securing mobile apps is a process of befriending security measures with smooth user experience.
Challenges that require mobile app security
//
New platform-specific risks
Mature enterprises, when deciding to build mobile apps for their users or employees, face lack of experience: because mobile apps introduce new risks, tech stack, requirements and particular security measures.
//
Apps are threat vectors
The most targeted apps work with sensitive data (documents, PII), IP (ML models, algorithms), financial and medical data, or provide an interface to control real-life objects (from cars to smart light bulbs).
//
Mobile app security == company security
Mobile-first products usually concentrate their UVP in mobile apps. Thus mobile app security becomes “the whole product” security and even “the whole company” security.
//
Popularity brings security issues
Popularity makes apps the attractive target for curious and malicious users: API misuse, creating malicious app clones, cracking apps and distributing cracked versions.
Modern solutions
End-to-end encryption apps
End-to-end encryption comes handy when developers don’t want to have access to users’ data at all. Encrypt data on application side per user, send and store encrypted, decrypt only for target user. E2EE flows can be very simple for single-user apps, and quite complicated for data collaboration platforms.
Privacy-first apps
Developers consciously decide to gather, process and store as little data as possible. Often privacy-first apps use end-to-end encryption, but it’s not necessary.
Defense-in-depth
Not every app needs E2EE. It’s possible to create a privacy-respectful and secure app by combining typical security measures: protecting stored data, protecting API, using strong authentication, protecting and obfuscating app code.
What we offer
Themis
A cross-platform cryptographic library for mobile, web, and server platforms, which solves 90% of typical data protection use cases that are common for most apps. Themis helps to integrate application level encryption fast and easy.
Read more
Acra
Acra offers a selective and searchable encryption which is easy-to-integrate in already-built infrastructures. Acra provides client-side SDKs for building end-to-end or partially encrypted data flows on mobile apps.
Read more
E2EE for any apps
We design, implement and verify end-to-end encryption & key management flows for multi-platform apps. Against common belief, applications can benefit from e2ee and still provide smooth and fast UX. Our encryption engines are easy to understand, maintain and update.
Read more
Security layers for complex use cases
We build data security layers for complicated use cases: encrypted CRDT-based data collaboration, multi-device & multi-user synchronisation, DRM-like protections for TensorFlow ML models, UX-friendly security for apps that work on millions of devices.
SSDLC
We assess the security posture of your application and suggest a plan on how to improve security without hurting app releases. We help to prioritise security features, find appropriate automation tools, and always be in sync with the latest OWASP guidelines, Apple / Google requirements and country-wide regulations.
Auditing and reviewing
We perform security audits and design reviews of existing implementations, how your apps protect sensitive data in storage and in transit, perform authentication, protect API, attest devices, and so on.
Have a question? Get a human to answer it!
Business impact
Security that doesn’t ruin UI/UX
Security features are integrated into your app flow to stop curious users and attackers but not affect legitimate users.
Mobile dev team works on features
We gently educate and push developers to the "secure side", shifting security left, maintaining security docs and reports while they are busy with app releases.
Peace of mind
Security-aware apps satisfy privacy regulations, decrease chances of security incidents and data leaks, de-risk due diligence process, and ensure your users that their data is protected.
Applied experience
We make sure that implemented security measures follow a defense in depth approach, are designed efficiently, appropriate to your risks, and fit well with the application architecture.
For innovators, by innovators
We've started Cossack Labs to develop new tools and methods for protecting the data and enabling novel solutions to emerging problems — so that at the edge of your innovation, you’ve already got fitting tools handy.
Contact us
There are many ways we can help: with our products, bespoke solutions, and engineering services. Leave your contact information to connect with our team:
Relevant resources
TLS validation: implement OCSP and CRL verifiers in Go
Most applications use TLS for data-in-transit encryption and every programming language has a TLS support in its ecosystem. TLS was introduced in 1999 based on SSL 3.0. It's quite an old...
Crypto wallets security as seen by security engineers
What can go wrong when you develop a “secure” crypto wallet? How to eliminate typical security mistakes and build a secure app with multilayered data protection against mnemonics leakage...
