Secure Android Apps

Application Sandboxing,

Protection against buffer and overflow attacks are some of the security features that an android operating system has, so the simple android apps that do not perform any file system or networking operations can be considered secure by default. As for complex android apps, it is the developer’s and the user’s responsibility to make it secure and protect the privacy of the users.

Note: Application Sandboxing is an approach to software development and Mobile Application Management(MAM) that limts the environments in which certain code can execute. It is also called as Application Containerization.

Some of the best practices to secure android apps are:

• To Store Sensitive Data Use the Internal Storage:

Every android app has an internal storage directory whose path is based on the package name of the app. They use Mode_Private to secure files inside this directory. This means that the files in an app cannot be accessed by any other app or device. getFilesDir( ) method is used to ascertain the absolute path of the app’s internal storage directory. Once you know its path, referencing files inside it is simple as referencing files inside any other directory.

• Store Encrypted Data in External Storage  :

There is limited internal storage in an android app. So at times it is better to store sensitive data on external storage media such as removable SD card. As the data in such external storage media can be directly accessed by both users and other apps on the device, thus it is important to store such data in encrypted format. One of the most popular encryption algorithm used is AES, Advanced Encryption Standard with a key size of 256 bits.

• IPC with Intent’s Process:

Note: IPC means Inter Process Communication

Sockets, named Pipes are used by the programmers of android to communicate with other apps on android. Easier and secure approach to IPC is to use the intents. To send specific data to the component of an app, the developers must create a new instance of intent class and use its setComponent( ) method to specify both the package and the name of the app. Then they can add data using putExtra( ) method.

• Use HTTPs:

HTTPS (preferably HttpsURLConnection) is used to communicate between the android app and their servers. The network traffic will be secured as the server is configured with a certificate issued by trusted certificate such as Digicert or GlobalSign. The network traffic should be secured against eavesdropping and man-in-the-middle attacks.

• Use GCM instead of SMS:

SMS Protocol is neither encrypted nor safe against spoofing attacks. SMS can be read by any app in the user’s device with a Read_SMS permission. GCM is lot more secure than SMS to push messages to an app as the communications are encrypted. They are authenticated using refreshed registration tokens on client side and a unique API key on the server side.

Note: GCM, Google Cloud Messaging

• Personal Data is Avoided:

A better approach to user identification and user profile information look up on android is through Google Identity Platform. This platform allows the user to quickly sign into the app using their Google account and thus, the app can easily access the user details like username, email address, contacts, profile photo etc. To handle the credentials by the user itself, they are recommended to store and transmit them in the form of secure hashes. The way to generate different types of hashes using Android SDK is by using MessageDigest class.

• User Input are Validated:

User inputs don not leads to buffer overruns in the android device. To avoid making the data vulnerable into SOL injection attacks, developer should allow the users to interact with SQLite database, thus developer must either sanitize user input or make use of parameterized queries.

• ProGuards are Used Before Publishing :

To secure source code, the developers should make use of a tool called ProGuard which is in android SDK before publishing the app. The default ProGuard configuration publishing in Android SDK’s proguard.android.txt file is sufficient for most apps. If the developer want to add custom rule to configuration, they can do so inside a file named proguard-rules.pro which is a part of Android Studio Project.