Mobatia

HOW TO SECURE ANDROID APPS

The Android operating system includes several security features, such as application sandboxing and protection against buffer and overflow attacks. Simple Android apps that do not engage in file system or networking operations are generally considered secure by default. However, for more complex Android apps, ensuring security and protecting user privacy is the responsibility of both the developer and the user.

**Note** Application Sandboxing, also known as Application Containerization, is a software development approach and Mobile Application Management (MAM) strategy that restricts the environments in which certain code can execute.

Some of the best practices to secure android apps are:

To Store Sensitive Data Use the Internal Storage:

Every Android app has an internal storage directory with a path based on the app’s package name. Files within this directory are secured using MODE_PRIVATE, meaning that they cannot be accessed by other apps or devices. The getFilesDir() method is used to obtain the absolute path of the app’s internal storage directory. Once the path is known, referencing files within it is as straightforward as referencing files in any other directory.

Store Encrypted Data in External Storage  :

Due to the limited internal storage available in Android apps, it may be advantageous to store sensitive data on external storage media, such as removable SD cards. However, since data on external storage can be accessed directly by both users and other apps, it is crucial to encrypt this data. One commonly used encryption algorithm for this purpose is AES (Advanced Encryption Standard) with a key size of 256 bits.

  • IPC with Intent’s Process:
  • Note: IPC means Inter Process Communication
  • In Android development, sockets and named pipes are used for inter-process communication (IPC) between apps. However, a more straightforward and secure approach is to use intents. To send specific data to a component of an app, developers create a new instance of the Intent class and use its setComponent() method to specify the package and component name of the target app. They can then add data using the putExtra() method.

Use HTTPs:

HTTPS (preferably HttpsURLConnection) is used to communicate between the android app and their servers. The network traffic will be secured as the server is configured with a certificate issued by trusted certificate such as Digicert or GlobalSign. The network traffic should be secured against eavesdropping and man-in-the-middle attacks.

  • Use GCM instead of SMS:
  • The SMS protocol lacks encryption and is vulnerable to spoofing attacks. SMS messages can be accessed by any app with the READ_SMS permission on the user’s device. In contrast, Google Cloud Messaging (GCM) offers a more secure alternative for pushing messages to an app. GCM communications are encrypted and authenticated using refreshed registration tokens on the client side and a unique API key on the server side.

Note: GCM, Google Cloud Messaging

  • Personal Data is Avoided:
  • A more effective approach for user identification and profile information lookup on Android is through the Google Identity Platform. This platform allows users to quickly sign into an app using their Google account, granting the app access to user details such as username, email address, contacts, and profile photo.
  • To manage user credentials securely, it is recommended to store and transmit them as secure hashes. The Android SDK provides the MessageDigest class for generating various types of hashes.

User Input are Validated:

User inputs do not typically lead to buffer overruns on Android devices. To protect against SQL injection attacks, developers should allow users to interact with SQLite databases securely. This can be achieved by either sanitizing user input or using parameterized queries, which help prevent malicious SQL code from being executed.

ProGuards are Used Before Publishing :

  • To secure source code before publishing an app, developers should use a tool called ProGuard, which is included in the Android SDK. The default ProGuard configuration provided in the proguard-android.txt file is typically sufficient for most apps. If developers need to add custom rules, they can do so in a file named proguard-rules.pro, which is part of the Android Studio project.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top