Ionic Mobile App Security Made Easy
This guide walks you through the three areas where your app can protect your users’ data from being compromised: single sign-on, biometric authentication, and data storage and how Ionic mobile app security products can help.
It’s almost impossible to overstate the importance of mobile app security. Every enterprise app needs it in order to protect sensitive data and safeguard users.
And yet despite the need for solid security, keeping up with security requirements can feel like a distraction. Best practices are constantly changing, and there are always new security patches and fixes that need to be maintained. One tiny misstep can have serious consequences for your users. It’s yet one more thing taking focus and time away from your core business. This guide is here to help.
Before you can even identify the best security solutions for your mobile app, you first need to understand what we at Ionic call the security trifecta.
What is the mobile app security trifecta?
There are three areas where your app can protect your users’ data from being compromised. We call them the mobile app security trifecta:
- Single Sign-on (SSO): The one set of credentials that allows your user access to multiple systems or resources
- Biometric Authentication: A process that relies on unique biological characteristics to verify individuals, including like Face ID, Touch ID, and fingerprint scans
- Data Storage: Where and how you store data in your app, including small bits of data like session tokens to larger amounts like product catalogs.
Modern authentication with Single Sign-On
Storing usernames and passwords in an app is a huge security liability. That’s where a single sign-on server comes in to assist. Users like SSO because they only have to remember one login and IT teams like it because they can easily shut off access should an account become compromised or after the employee leaves the company. A typical workflow for single sign-on, or SSO, might go something like this:
- A user enters their credentials on a device.
- The authentication system verifies the credentials and then issues an access or session token.
- Your mobile app then stores the token (instead of the username and password). Tokens are more secure since they can expire after a specified length of time or are invalidated server-side.
- The app then sends the token to 3rd party systems/APIs to gain additional access.
Mobile SSO Authentication Best Practices
When you’re implementing a single sign-on workflow, you should keep the following best practices in mind.
1. Pick Modern Authentication Standards
You should choose a more modern protocol like OAuth2.0 or OpenID Connect that will allow you to support access to all of your systems, whether through web apps, mobile apps, or native desktop experiences. Leveraging a modern authentication standard is also great for future proofing, ensuring that adding support for new platforms is much easier. Going with a legacy authentication protocol like OAuth 1.0 or SAML can have limitations and ultimately be less secure.
2. Ensure All Implementations Authenticate Correctly
This probably seems like a given, but it’s important enough to mention. Make sure you consider all implementation steps of authentication—including login, logout, and token refresh. Getting all of these right in a mobile context can be complex. And with so many constant updates, it can be a lot to maintain.
Even though you’ve mastered or perfected one of those implementations doesn’t automatically mean the others are correct. Unfortunately, not getting all of these steps set up in the correct order can leave your app vulnerable to security threats.
3. Use Native System Web View Components
Native system Web View components should be used to implement single sign-on workflows in mobile apps. Built and maintained by Apple and Google, these components enforce compliance and user safety at the system level. To remain secure, you must follow their recommendations which change regularly depending on the version of the iOS or Android operating systems. For example, on iOS 11 SFAuthencationSession is recommended but with iOS 12 and up, ASWebAuthenticationSession should be used for SSO.
4. Leverage Shared Cookie Storage
If your company has more than one mobile app and/or a web and mobile apps, you should leverag shared cookie storage. This means that once a user has signed into App A using SSO credentials then later accesses App B, the same credentials stored on the device from App A are shared automatically with App B. This works across web and mobile apps too. For example, if your user is currently logged into a web app via the Safari web browser on iOS, then your mobile app should automatically log in using those same credentials. This seamless login experience improves the user experience, leading to happier users.
Implementing SSO in hybrid mobile apps
Taking those best practices into consideration, here are four viable single sign-on implementation options for hybrid mobile apps.
- Provider SDKs: If you are running a pure native app, then the single sign-on provider should have some official solutions available.
- Cordova or Capacitor Community Plugins: You can use open-source resources like Cordova or Capacitor, but they are not without risks. Given they are maintained by volunteer contributors, they may not always stay up to date with best practices and could have unknown security vulnerabilities.
- Roll-Your-Own Solution: You could develop your own solution by following OAuth2.0 or OpenID Connect specifications. However, this approach involves the most amount of work and given how challenging mobile security can be, it's easy to make a mistake that can compromise user data.
Ionic’s Auth Connect
The fourth SSO option is Auth Connect, a single API that works across providers like Auth0, AWS Cognito, Azure, Ping Identity, and Okta. It leverages both native system Web View components for added security and shared cookie storage for an optimal user experience. This is the best solution for enterprise and native apps.
Biometric authentication and token storage
Due to their literal mobility, mobile apps have a unique set of security challenges. They’re different from desktop or even web apps. Users take their mobile devices everywhere. They throw them in their pocket or a bag, and they use their devices in coffee shops or airports.
So, when you allow sensitive data to be accessed and potentially stored on a mobile device, there’s a lot at stake. Whether your app is used for health records, bank statements, or legal documents, there is so much more for developers to consider.
And it’s not just how and where these apps are being used. There's also the potential for these devices to be lost, stolen, or even used on a jailbroken device being left open to a slew of other security vulnerabilities.
But that’s just the world we live in now. Users expect a seamless mobile experience. They want to work offline, pick up where they left off, and be able to access their entire life on the go. It’s up to your app to provide all of that in the most secure way possible.
Biometric mobile Security Best Practices
As you’re building out your app’s security workflows, there are a few best practices you should implement.
1. Encrypt User Authentication Tokens
Although it’s a fairly common practice to store tokens unencrypted in LocalStorage or IndexedDB, it’s a huge security vulnerability since those two storage mechanisms are easily viewable by anyone. It leaves the door open for anyone who gains unauthorized access to the device to easily access your user’s authentication credentials.
Whenever you can, you should leverage Keychain on iOS and KeyStore on Android. Both allow you to securely store a token on a highly specialized, encrypted hardware chip. This way, the token is stored outside of memory and only accessible by an authorized user with biometric authentication.
2. Biometric Authentication
Use biometric authentication whenever possible. Biometric authentication uses features like Face ID, Touch ID, or Fingerprint scanning to determine whether a user is authorized to access.
3. Background Screen Obfuscation
It’s best to hide your app’s screen while it is running in the background. While the app itself will likely have a mechanism that makes the person log in again after enough time away, that's not enough to safeguard data. If someone who is not the device owner picks up the phone some amount of time after the app has been used then opens the app switcher, they could see potentially sensitive data like bank balances, etc. Implementing background screen obfuscation keeps sensitive data safe.
4. Automatic Session Timeout
When a session token is actively in use by your mobile app, it's placed into device memory which means it's unencrypted. Should the user's device become compromised, the token could be stolen from a malicious actor. Therefore, signing a user out or locking them out after a certain period of inactivity is recommended. It helps secure your app’s data from someone losing their phone and having their sensitive information stolen because they left the app open.
5. React When Biometrics Change
It’s important to put stopgaps in place for when the biometric information changes on a device. This helps protect your app from bad actors who gain access to a device and then update it to steal data. In practice, this means that when a device's biometrics change, your app should automatically invalidate any user authentication tokens managed by the application.
6. Keep Up To Date with Security Guidelines
The thing about mobile app security is that the guidelines for it change often—especially when there is a major operating system for Android or iOS released. Keeping up with all of those best practices is no easy task, especially if you’re not a native mobile developer or a mobile security expert.
Enter Ionic’s Identity Vault
Identity Vault is an all-in-one identity management system offered by Ionic. It combines all of those biometric authentication possibilities with the best practices and secure storage token features mentioned above. It’s a convenient and easy one-stop solution for all of your mobile app security needs as many of the best practices such as background screen obfuscation and session timeout are handled for you.
The benefits and tradeoffs of all mobile data storage options
The last and final component of the mobile app security trifecta is data storage, of which there are no shortage of options available. While it’s nice to have plenty of options, figuring out which one is right for your app can be a challenge. Built for different industries, use cases, and audiences, no app is the same. So, this will vary depending on what and how your app is being used.
Mobile Data Storage Options
When you’re looking at your storage options, sometimes it’s more helpful to see what they are and what each of them offers you. Below is a quick chart that outlines the pros and cons of the 4-most common types of storage for apps.
Ionic Secure Storage
Secure Storage is reliable, high-performance storage with military-grade encryption designed for data-driven apps. Since this solution is based on SQLite, it has advanced query support. It also has built-in 256-bit AES encryption. And because it is an officially supported Ionic product, there’s a team working tirelessly to continuously release maintenance updates and new features.
The Ionic Difference
Perfecting your mobile app’s security can be time-consuming and tedious. One minor misstep could leave your app vulnerable and open to attacks.
Using any of the software from the Ionic suite offers you secure solutions that are fully managed by the Ionic team. They’re built and maintained to make sure you always have secure native and web solutions.
Leveraging one or all of Ionic’s solutions enables you to get back to the core of your business. Even if you have native developers on your team, Ionic can free them up to spend more time focusing on native-powered features instead of having them reinvent the wheel of app security.
Ionic is a leader in enterprise app development. Thousands of enterprise customers use Ionic to build mission-critical apps for their customers, both external and internal.