Network Security & Encryption
Critical security techniques for secure network communication and data protection in mobile applications.
Transport Layer Security (TLS)
TLS Configuration
- Modern TLS Versions:
- TLS 1.3 requirement for enhanced security
- Backward compatibility considerations
- Cipher suite optimization
- Certificate Management:
- Certificate pinning implementation
- Certificate validation
- Fallback strategies
- Perfect Forward Secrecy:
- Ephemeral key exchange
- Session security isolation
- Long-term key protection
Platform-Specific Security
Android Network Security Config
xml
<!-- Android Network Security Config -->
<network-security-config>
<domain-config>
<domain includeSubdomains="true">api.example.com</domain>
<pin-set>
<pin digest="SHA-256">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=</pin>
<pin digest="SHA-256">BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=</pin>
</pin-set>
</domain-config>
<base-config cleartextTrafficPermitted="false">
<trust-anchors>
<certificates src="system"/>
</trust-anchors>
</base-config>
</network-security-config>iOS App Transport Security
swift
// iOS TLS Implementation
class SecureNetworkManager {
private lazy var session: URLSession = {
let config = URLSessionConfiguration.default
config.tlsMinimumSupportedProtocolVersion = .TLSv12
config.tlsMaximumSupportedProtocolVersion = .TLSv13
return URLSession(
configuration: config,
delegate: self,
delegateQueue: nil
)
}()
}
extension SecureNetworkManager: URLSessionDelegate {
func urlSession(
_ session: URLSession,
didReceive challenge: URLAuthenticationChallenge,
completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
) {
// Certificate pinning implementation
guard let serverTrust = challenge.protectionSpace.serverTrust,
let serverCertificate = SecTrustGetCertificateAtIndex(serverTrust, 0) else {
completionHandler(.cancelAuthenticationChallenge, nil)
return
}
let serverCertData = SecCertificateCopyData(serverCertificate)
let serverCertHash = sha256(data: CFDataGetBytePtr(serverCertData))
if pinnedHashes.contains(serverCertHash) {
completionHandler(.useCredential, URLCredential(trust: serverTrust))
} else {
completionHandler(.cancelAuthenticationChallenge, nil)
}
}
}Flutter Certificate Verification
dart
// Flutter TLS Configuration
class SecureHttpClient {
static HttpClient createSecureClient() {
final client = HttpClient();
client.badCertificateCallback = (cert, host, port) {
// Custom certificate validation
return validateCertificate(cert, host, port);
};
return client;
}
static bool validateCertificate(X509Certificate cert, String host, int port) {
// Certificate pinning logic
final certHash = sha256.convert(cert.der).toString();
return pinnedCertificates.contains(certHash);
}
}Data Encryption
At-Rest Encryption
- Secure Storage Implementation:
- Encrypted SharedPreferences (Android)
- Keychain Services (iOS)
- Flutter Secure Storage
- Key Management:
- Hardware security modules
- Biometric key protection
- Key rotation strategies
- Data Classification:
- Sensitive data identification
- Encryption level determination
- Storage location decisions
In-Transit Encryption
- End-to-End Encryption:
- Message-level encryption
- Key exchange protocols
- Forward secrecy implementation
- Secure WebSocket:
- WSS protocol usage
- Custom encryption layers
- Real-time communication security
- Encrypted API Communication:
- Request/response encryption
- JWT token security
- API key protection
Security Best Practices
API Security
- Token-Based Authentication:
- JWT implementation
- Token refresh mechanisms
- Secure token storage
- OAuth 2.0 Implementation:
- Authorization code flow
- PKCE extension
- Scope management
- API Key Management:
- Secure key distribution
- Key rotation
- Environment-specific keys
Data Protection
- Sensitive Data Handling:
- PII data encryption
- Data minimization
- Secure transmission
- Secure Key Storage:
- Platform-specific secure storage
- Hardware-backed keystores
- Biometric protection
- Memory Protection:
- Sensitive data cleanup
- Memory dump protection
- Anti-debugging measures
Advanced Security Techniques
Certificate Pinning Implementation
kotlin
// Android Certificate Pinning with OkHttp
class CertificatePinner {
companion object {
fun create(): CertificatePinning {
return CertificatePinning.Builder()
.add("api.example.com", "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
.add("api.example.com", "sha256/BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=")
.build()
}
}
}
val okHttpClient = OkHttpClient.Builder()
.certificatePinner(CertificatePinner.create())
.build()Secure Communication Patterns
- Message Authentication:
- HMAC verification
- Digital signatures
- Integrity checking
- Replay Attack Prevention:
- Timestamp validation
- Nonce usage
- Sequence numbers
- Man-in-the-Middle Protection:
- Certificate validation
- Public key pinning
- Certificate transparency
Security Monitoring
Threat Detection
- Network Anomaly Detection:
- Unusual traffic patterns
- Suspicious endpoints
- Certificate changes
- Security Event Logging:
- Authentication failures
- Certificate validation errors
- Encryption failures
Compliance & Standards
- GDPR Compliance:
- Data protection requirements
- User consent management
- Data portability
- Industry Standards:
- OWASP Mobile Top 10
- NIST cybersecurity framework
- ISO 27001 alignment
Security Testing
- Penetration Testing:
- Network layer attacks
- Certificate validation testing
- Encryption strength testing
- Security Auditing:
- Code security reviews
- Dependency vulnerability scanning
- Configuration validation