Creating A Secure Android App

Android, App Development, Information Security, Penetration Testing, Web ApplicationsComments are off for this post.

You Are Here:, App Development, Information Security, Penetration Testing, Web ApplicationsCreating A Secure Android App

 

The Android operating system has lots of built-in security features, such as application sandboxing, protection against buffer and integer overflow attacks, and segregated memory areas for program instructions and data. As a result, simple Android apps that don’t perform any file system or networking operations can often be considered secure by default.

If you are developing a more complex app, however, you are responsible for making it secure and to make sure the the privacy of your users is not compromised.

Many Android app vulnerabilities stem from data leakage, lax permissions settings and insufficient encryption. Here are a few practical tips which can be applied to your apps which will protect your user’s data and prevent your app from being reverse engineered:

Personal Data

The bottom line is avoid storing user data in your app unless it is imperative to do so.  You can easily deploy secure third party solutions to handle user authentication instead. A popular solution is authentication through Social Media accounts such as the Google Identity Platform to handle app authentication through a user’s Google Plus account. Indeed, free services such as Firebase handle authentication for you by allowing users to register/login to your app with their Facebook, Twitter, G+ etc accounts.

If you wish to handle and store user’s personal data for say, email harvesting then it is recommended you store them in the form of secure hashes. The Android SDK handles this through the MessageDigest class. You can create a secure SHA-256 hash of a text string using the class in your app using the following code:

MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] sha256Hash = md.digest("User Input".getBytes());

Preventing SQL Injections

A SQL injection attack is where a malicious piece of SQL code is used to attack the parts of your app where there is dynamic user input, say a login/registration screen. The intent is usually to either destroy the database or output the contents of the database. To negate this type of attack it is import to ensure such user input forms are regularly flushed and that query fields have specific parameters set such as fixed length input, alphanumeric input only etc.

Connection Security

It is advisable that all connections between your app and your servers are handled through HTTPS especially where transmission of user data is concerned as your users may be connecting through open WIFI hotspots, making your app and your user’s data more vulnerable and increasing the possibility of a ‘Man-In-The-Middle’ attack (where an attacker relays network communication between two parties).

 

Data Storage

With many apps, data storage can easily be secured with minimal effort. This is because all Android apps, by default, are stored in an internal directory relative to package name of the app (.apk file). Handily, file permissions in this directory and all sub directories are set to mode.private which means other apps stored on the device cannot access the app’s files so it makes sense to store user data in the app’s internal directory.

However, a downside to this strategy is that internal memory is limited in size which means sensitive data will need to be stored on external storage media so will have to be encrypted. This can be achieved by deploying the javax.crypto package which is part of Android’s SDK library. However, you can also use other third party libraries to deploy encryption.

 

The .manifest Files and User Permissions

Finally, it is imperative that stringent user permissions are set for your or you run the risk of it being compromised. Android app permissions are handled by the .manifest files. The .manifest files also handle other important app roles such as setting the actions it can perform, therefore it is imperative that appropriate security measures such as the following. are put in place as an attacker will usually attempt to access the manifest files first:

Debug Mode

This is usually flagged as ‘true’ during pre production for quality assurance testing, so you need to ensure it is set to false prior to to app ‘go live’.

The Backup Flag

This setting defines whether application data can be backed up and restored by a user who has enabled usb debugging. Therefore applications that handle and store sensitive information such as card details, passwords etc. should have this setting set to false to prevent such risks.

Permissions

The android:protectionLevel attribute defines the procedure that the system should follow before grants the permission to the application that has requested it. There are four values that can be used with this attribute:

  • normal
  • dangerous
  • signature
  • signatureOrSystem

All the permissions that the application requests should be reviewed to ensure that they don’t introduce a security risk.
Application Actions

Depending on its functionality, an application can launch a service, perform an activity, receive content from another source or receive intents by the device or by other applications. There are four application components:

  • Activities
  • Services
  • Content Providers
  • Broadcast Receivers

Activities, Services, Content Providers and Broadcast Receivers can all be exported. Therefore all of them they should be reviewed that they don’t perform any sensitive action and that they are protected by appropriate permissions as otherwise information could be exposed to malicious third parties.

Conclusion

If you are planning on releasing an Android app to the Google Play Store, it is imperative that you devise a security strategy as part of the development cycle to protect your user’s and your app from security threats and carry out thorough quality assurance testing prior to release.

Further Reading

Rob Kowalski’s excellent ‘Penetration Testing and Reverse Engineering’ includes chapters on iOS and Android Security as well as IDS, web apps and eCommerce websites:

Available on Amazon

Top
error: