How come root and jailbreak detection is not under the best practises categories?

references:

• http://nshipster.com/nssecurecoding/
• http://mjtsai.com/blog/2015/11/08/the-java-deserialization-bug-and-nssecurecoding/

(update w/ more refs later)

PermissionsDispatcher is an awesome tool for managing Android Runtime Permissions in apps via Java annotations/decorators.

mentioned it here for the secure dev talk... https://www.nowsecure.com/blog/2016/08/24/android-buckles-ios-opens-trends-platform-security-affecting-developers/

In "Code Complexity and Obfuscation" you provide links to a few obfuscation tools. I work for PreEmptive Solutions and we have forked two of those products (iOS Class Guard and LLVM-Obfuscator), and we also provide tools for other platforms (Dotfuscator for .NET and DashO for Java).

In the specific case of iOS Class Guard, our fork (called PPiOS-Rename) is meant to provide support for newer versions of Xcode that they don't seem to be supporting - and we significantly improved the product overall. Our fork is open-source and free, so you might want to link to it instead of (or in addition to) iOS Class Guard.

Our fork of LLVM-Obfuscator (called PPiOS-ControlFlow) is not open-source (or free), but it also brings support up to date with the latest Xcode, and provides enhancements/improvements.

On the .NET platform, Dotfuscator has a Community Edition that is included "in the box" with Visual Studio, and is free. For someone looking for a free solution on that platform, you might want to link to it, also.

Finally, since you link to DexGuard, I thought you might also want to link to DashO.

If you're open to these changes, I'd be happy to create a pull request for them; I thought it best to check if you want them, first.

Thanks! (And thanks for the great guide!)

There is room for some additions to the Touch ID section for iOS.
There are ACL policies which can be used for example to delete the keychain entries if the fingerprint enrolment data on device changes. This can be ideal for example to delete data if another finger has been enrolled since the data was stored. Applications may wish to ask the user to re-authenticate via alternative means, before creating the keychain entry back up again.

If i find time i might submit a pull

Explain various obfuscations in detail:

• obfuscate code (antidisasm tricks)
• obfuscate data (strings, files)
• obfuscate metadata (objc, symbols)

Expose the decompilation information on every language (java, js, objc, swift, C, ..)

• swift is not as introspectable as objc

Anti-debug techniques

• restricting debuggers or making debugging complicate have nothing to do with code complexity or obfuscation
• explain how to use the PT_DENY_ATTACH and android:debuggable=false with code

Control flow validation

• flow integrity - verify the workflow is the expected on every function (where do i come from?)
• white box security
• I dont think compiler optimizations should be listed as a way to protect code logic

Anti-RE techniques:

• renaming symbols with wrong or invalid names
• depending on the compiler the final binary can have more than one symbol table
• always verify the resulting binary with strings | grep... (at least)
• i dont think the DRM applied by FairPlay can be in any way a security measure to care because there are several tools (appcake, clutch, r2, dumpdecrypted, ...) to automate this cracking into a single press-enter

https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10

in https://github.com/nowsecure/secure-mobile-development/blob/master/README.md#using-this-guide

https://www.nowsecure.com/resources/secure-development/primer/

https://github.com/datatheorem/TrustKit

A snapshot is not a screenshot. The document should describe the steps required to add a blurry layer when multitasking or so

https://github.com/commonsguy/cwac-netsecurity

CWAC-NetSecurity backports the Android 7.0 network security configuration subsystem going back to API level 17 (Android 4.2) making it easier to tie an app to particular certificate authorities or certificates, support self-signed certificates, and handle other advanced SSL certificate scenarios.