From 95dd6e5147396cc6fa174d853e6eef99293c750d Mon Sep 17 00:00:00 2001 From: Ana Polo Date: Wed, 11 Dec 2024 17:03:28 +0100 Subject: [PATCH] docs: add a callout --- src/content/docs/security/security_in_mobile_apps.mdx | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/content/docs/security/security_in_mobile_apps.mdx b/src/content/docs/security/security_in_mobile_apps.mdx index 16f656f..24b164c 100644 --- a/src/content/docs/security/security_in_mobile_apps.mdx +++ b/src/content/docs/security/security_in_mobile_apps.mdx @@ -81,6 +81,7 @@ Use Firebase Authentication for a more secure authentication system. You can fin - [Firebase Authentication](https://firebase.google.com/docs/auth) Here you have another interesting article that talks about authentication in Flutter. + - [Flutter authentication with Auth0](https://developer.auth0.com/resources/guides/mobile/flutter/basic-authentication/) More information on _M1: Improper Credential Usage_ [here.](https://owasp.org/www-project-mobile-top-10/2023-risks/m1-improper-credential-usage.html) @@ -217,6 +218,12 @@ There are tools like AWS Secrets Manager and Google Cloud Secret Manager that he - [AWS Secrets Manager video](https://www.youtube.com/watch?v=-9nOyaM3kZk&t=26s) - [Google Cloud Secret Manager](https://cloud.google.com/secret-manager) +> ❗️**Take into account** + +> Tools like **FreeRASP** and **obfuscation** techniques improve application security, they can't guarantee complete protection against cyberattacks. API keys and secrets stored on the client side are always vulnerable to extraction through reverse engineering, among other techniques. + +> One possible solution for increased security would be to implement a custom backend as it would protect these sensitive keys. This backend would handle API calls securely, keeping secrets hidden from the client. + More information on _M7: Insufficient Binary Protection_ [here.](https://owasp.org/www-project-mobile-top-10/2023-risks/m7-insufficient-binary-protection.html) - **M8: Security Misconfiguration**: security misconfiguration occurs when mobile apps have improperly configured security settings, permissions, or controls, leading to vulnerabilities and unauthorized access. Threat agents, such as attackers with physical device access or malicious apps, exploit these weaknesses to access sensitive data or execute unauthorized actions within the vulnerable app's context. Proper configuration is crucial to mitigate these risks.