I am working on ensuring security of my company’s product. We have mobile version of the product. This question is for Android version
Background – Our product is a SaaS based product and app is meant to be used by different sales people of tenant organisation. We have implemented different layers of control for ensuring secure (or more like safe) environment for our app –
- We check for root detection – (OS level check)
- Implemented SSL pinning – (Transport layer level check)
- Storing secrets in Android key chain
- Minimal local data storage. Encrypt local data (that needs to be stored)
and list goes on. In short right from the device to communication layer to server layer we are in the process of covering every corner.
Question –
Problem –
The problem is we got one issue reported by one of the security researcher that says that as your app can be downloaded from android play store thus it can run on emulator and on emulator it is possible to bypass root detection. So it adds huge threat and should fixed immediately.
I searched alot but I cannot find security implication that could be possible if app can be installed on the emulator. Also I checked if I might have to fix it, what could be the possible solution. There are checks like looking if running environment is SDK, check if features like camera, or sensors are working but all those checks can be bypassed in emulator also.
It is kind of critical for me because if I accept this issue our client will see it in report and insist on getting it fix. I m running blank for implication that i would have to explain to Management and developer (if I accept) and fix (that might be required later)
Please provide your inputs