Android App Security Best Practices

Date:

Impacts Of Weak Mobile App Security

Webinar on ‘Best Practices in Android App Security’

Almost all contemporary apps store and use user credentials, bank information, and other PII to provide an enhanced user experience. However, with the advent of complex security threats, it has become difficult to maintain the required level of security. Lets take a look at some of the impacts of weak mobile app security:

Encrypt And Monitor The Data Between The Mobile App And Web Server

It is important to sometimes manually analyze the traffic flowing through the app to the web servers. You can either have an internal team to do that or hire a mobile app security company that can help you track movements in the network layer.

Most experts will recommend all mobile device communications to be encrypted. The reason is simply because wireless communications are quite easy to intercept and snoop on. Often known as the transport layer, the path between the mobile app and web servers carries very sensitive information and it is necessary to employ the best security practices to make sure this is something you can monitor well.

Needed Team For Securing Mobile Applications

To cover this topic, remember that security is a set of measures and, accordingly, to ensure securing mobile applications, it is necessary to involve all participants in development.

This requires regular training for all SSDLC participants, the creation of development guidelines and, of course, security testing, both internal and external , all of which should not be neglected. More specific team roles are the following:

  • Security architect: At the system design stage, cybersecurity specialists, as well as compliance specialists, need to be involved to think through the application architecture. At the pre-release stage, this could also be internal QA engineers. An architect considers the security of all system components.
  • Security engineer: A universal soldier that can do a lot of work, starting from requirements analysis to internal pentesting.
  • Security champions: Its important to remember that security needs specialists, and its good to have champions.This should be experts from within the team who are enthusiastic about security and strive to make the project secure. They could be in all departments of product development .
  • Recommended Reading: Cool Widget Apps For Android

    Creating And Verifying Signatures

    If you want to send messages and make sure that the sender is the person you thought it is you can use signatures. To do so, you need a private/public key pair first.

    let signingKey = Curve25519.Signing.PrivateKeylet signingPublicKey = signingKey.publicKey

    Using the private key any form of data can be signed.

    let data = ...let signature = try! signingKey.signature

    This signature is then sent together with the actual data to the receiver which can use the public key to validate the signature.

    let isSignatureValid = signingPublicKey.isValidSignature

    Use Shapes And Selectors Instead Of Images As Much As Possible

    Android App Security: Top 4 Tips To Consider In 2020

    Basic shapes and gradients can easily be drawn using the < shape /> tag without the use of images. The resulting shapes that are drawn are always sharp and do not need to be created for multiple densities.

    A basic circle can be created in the following way and saved as circle.xml in the drawables folder

    < shape android:shape="oval" > < solid android:color="#ff01aef0" /> < /shape> 

    The < selector /> tag can be used to add different visual states to Views.

    A simple selector, to add a pressed state background to a button, can be created in the following way and saved in the drawables folder

    You May Like: How To Create A Music Playlist On Android

    Where Do I Sign Up

    First of all, have a look at the existing RE chapters outline:

    Youll probably immediately have ideas on how you can contribute. If thats the case, read the first.

    Then contact Bernhard Mueller – ideally directly on the OWASP Mobile Security Project Slack Channel, where youll find all the other project members. You can sign up for an account here.

    Code Tampering And Jailbroken Devices

    Code tampering is where an attacker takes a legitimate application, modifies the source code and then redistributes the application. Attackers in this scenario may use phishing attacks combined with a link to the modified app to lure users into downloading these malicious apps.

    For example, an attacker downloads a legitimate banking application from the app store and then inserts code to capture PII. The attacker then uploads this application to a third-party app store that doesn’t scrutinize apps as heavily as the Google Play or Apple App stores. Once the application is active, the attacker can use a phishing email scam to trick unsuspecting users into downloading the malicious app any personal information that victims enter is sent to the attacker.

    The best way to prevent these types of attacks is to run constant application checks for source code and environment modifications.

    These malicious attacks often take advantage of rooted or jailbroken devices, where the user has allowed applications to make changes that the operating system usually doesn’t allow. A few methods exist to detect rooted or jailbroken devices, such as detecting the presence of certain applications or libraries on the device. Once developers check for these libraries, they can instruct their application to shut down and avoid any vulnerabilities programmers inadvertently introduced into the source code.

    Next Steps

    You May Like: Nfl Network App For Android

    Best Practices To Secure Your Code

    Securing our packaged code is also important. There is always the possibility of reverse engineering: someone might try to read how we do our encryption or find another loophole in our code.

    Nothing stops an attacker from reading our compiled code. But, at the very least, we can make it as hard as possible for the attacker to gain any information from that code.

    Use Intents To Defer Permissions

    Best practices for building privacy-friendly apps (Android Dev Summit ’18)

    Whenever possible, don’t add a permission to your app to complete an actionthat could be completed in another app. Instead, use an intent to defer therequest to a different app that already has the necessary permission.

    The following example shows how to use an intent to direct users to acontacts app instead of requesting theREAD_CONTACTS andWRITE_CONTACTS permissions:

    Also Check: Sign Documents On Android Phone

    Ensure Tight Password Security

    If your mobile app has to access and store critical data of the app users, you need to enforce the toughest password security to ensure that the critical data is not exposed.

    What type of password you want to enable is up to you. But, the password should not be complex that the user gets frustrated to generate, remember, and even use.

    This is one of the best practices to ensure your mobile app is secure.

    I Contributed To The Original Google Doc But Im Not Credited In The New Version Of The Mstg

    As we migrated some of the existing content, we did our best to backtrack the original authors and credit them appropriately. We also added a revision history that lists all the authors from old Google Docs. If you are not on that list but feel you should be, please contact Sven Schleier or Carlos Holguera. Or better yet, re-join the team and start contributing to the new guide.

    Recommended Reading: How To Receive Apple Pay On Android

    How Can I Participate In Your Project

    We are searching for additional authors, reviewers and editors. The best way to get started is to consult our Contributing Guidelines.

    TLDR:

    • If theres something you really want to see in the guide, or you want to suggest an improvement, open a discussion.
    • If it qualifies for the OWASP MSTG well upgrade it into an issue.
    • Simply pick up one of our issues and let us know that you want to work on it.
    • Of course if youre simply proofreading and youve corrected some typos please open a Pull Request directly.

    If you have any questions please ping us on Slack or per e-mail .

    Use Authorized Libraries Only

    Best Practices For Mobile App Security In 2020

    It is important to consider the security of the applications when you are utilizing the best third-party libraries. Therefore, be doubly cautious and test the code completely before utilizing it in your application. As valuable as they may be, a few libraries can be amazingly insecure for your application. Lets consider the GNU C Library. It had a security imperfection that could permit aggressors to distantly execute malevolent code and crash a framework. And the worst case of this scenario is that it was not identified for more than seven years. Developers should utilize controlled internal repositories and other tools to shield their applications from viruses in libraries.

    You May Like: How To Share Large Video Files From Android

    Why Is It Important

    If you’re launching an app for your customers, then mobile application security is an essential component of the development and maintenance process. According to The Cyber Security Breaches Survey, roughly a third of all companies reported cyber attacks on their businesses. This number reflects a 60 percent increase in cyber attacks on medium-sized companies and a 61 percent rise in cyber attacks on large-sized companies. Mobile application security is crucial to protecting your business as well as your users. The following are the two main reasons you should focus a significant amount of your attention on mobile application security:

    Set Mobile Encryption Policies

    An encryption policy ensures that data is encrypted whenever you believe it’s required. For example, an SSL will help encrypt data that travels across a network however, it won’t protect data stored in a database. On the other hand, encrypting the fields in your database will not protect any data accessed across the network. Create an extensive encryption policy that addresses all of these data security issues and encryption management processes. Document your mobile encryption policy and ensure that your team is adhering to it when developing your app.

    Don’t Miss: How To Play Continuous Music On Android

    Protecting Data At Rest On The Device

    If you store unencrypted sensitive data such as PII, credentials, keys, and tokens on your local servers such as the SQLite database, stop this practice. It will expose your data to potential breaches. However, if you have to use a local server or storage facility, ask the developer to use a key derivation function based on user input.

    Furthermore, stop including highly sensitive data in system logs. Storing data in the WebView cache is also not an ideal practice. Dont forget to clear the applications cache after receiving responses.

    Most of the time, hackers can access or modify the apps locally stored data through backups. So, it is important to disable application backup.

    Mobile Application Security: Best Practices For App Developers

    Security by design – Google Play Academy course trailer

    The success of an app highly depends on its security. Users want safe app environments where they can interact with each other. Therefore, developers need to deliver digital solutions with app security in mind.

    This article talks about how to protect data stored within apps, namely by means of HTTPS, clearing the cache, obfuscating code, protecting local storage, and keeping sensitive data inside the app.

    Don’t Miss: How To Listen To Mp3 Audiobooks On Android

    Web Service Apis Or Static Web Apis Mobile App Protection Methods

    • Use a proxy server. The proxy serverprovides a solid source for interacting with the appropriateGoogle Maps Platform API. For more information on using a proxy server, see.

    • Obfuscate or encrypt the API key or signingsecret. This complicates scraping of API keys and other private datadirectly from the application.

    Using Gcm Instead Of Sms

    In the time when Google Cloud Messaging or GCM did not exist, SMS was used in order to push data from servers to apps but today, GCM is used largely. But if you still have not made the switch from SMS to GCM, you must. This is because SMS protocol is neither safe nor encrypted. On top of it, SMS can be accessed and read by any other app on the users device. GCM communications are authenticated by registration tokens which are regularly refreshed on the client-side and they are authenticated using a unique API key on the server-side.

    Other major mobile app development security best practices can include, Validation of User input, Avoiding the need for personal data, and usage of ProGuard before publishing the app. The Idea is to secure app users from as much malware as possible.

    Don’t Miss: How To Install Android 10 On Any Phone

    Some Additional Guidelines To Keep Your Android App Secure

    When you collaborate with a reputed mobile app developer, have a consultation regarding the key security features. Initially, the security mechanism is developed by the experts. From time to time, you need to seek their services to perform the necessary updates and repair the security gaps.

    Here are some additional tips that will help you combat security issues:

    • You may depend on the approval of the application store, confirming that a particular app is secure. However, errors do occur at times. You need to try and test them yourself, as the endorsements that the app stores give are not 100% foolproof.
    • You need to be careful, if your app is dependent on the API of another person. Their code has to be secure in order to ensure the safety of your device. Make sure that your applications API provides access to the parts of the app, which are crucial for limiting the threats.

    Encrypting Data Using Symmetric Keys

    Software Development Archives

    Encrypting and decrypting data using a symmetric key is simple, too. You can use one of two available ciphers: ChaChaPoly or AES-GCM in CryptoSwift:

    let encryptedData = try! ChaChaPoly.seal.combined
    let sealedBox = try! ChaChaPoly.SealedBoxlet decryptedData = try! ChaChaPoly.open

    You should always make sure not to hardcode these symmetric keys in your app though. You can generate a symmetric key at runtime and then store it safely in the keychain. That way, no one has access to your key to decrypt data.

    Don’t Miss: Create Android App Online Without Coding

    Why Is Mobile Application Security A Big Deal

    To understand why this is a big deal, we need to take a more holistic view. Let’s scale this up. There are many reports out there that have proven that more than 90% of mobile applications are vulnerable and there’s a median of around 6.5 vulnerabilities per app.

    At the same time, over 4,000 apps are being added to the popular apps stores every single day. On average, a smartphone user downloads 36 apps. Put this all together and it will present a scary picture for any business.

    Constant App Testing And Regular Updates

    No platform is 100% secure. Even if you scrutinize at every stage, there will be some dark spots left behind. Thats why app testing should never stop. If you can afford, you can also start your own bug bounty program.

    As you keep finding the flaws, keep on releasing timely updates so that your users dont suffer.

    Also Check: Abzorba Blackjack 21 Cheats Android

    The Basics Of Android App Security

    Especially on Android, you need to be aware of each Android version and the security features it provides. Your app might be secure on your brand new mobile phone that you got for Christmas. However, if its not also secure on older phones, you expose your users to a very real security risk. That might damage your reputation, or even get you into big legal trouble if you stored some passwords the wrong way.

    In this article, we completely focus on the Android-specific characteristics of Mobile Security. If you need a broader overview, check our previous article about Mobile App Security Best Practices.

    Set A Solid Api Security Strategy

    Best practices for making your app private by design

    Be very careful about the application programming interfaces you use to develop your app. If you use an API that isn’t authorized, it could unintentionally give hackers easier access to your app. For instance, your programmers might decide to cache authorization information locally to make it easier for them to reuse information when making API calls and allow coders to use them as well. Unfortunately, cybercriminals will now be able to hijack those privileges. To ensure that such a situation doesn’t occur, establish a solid API security strategy that only allows APIs to be authorized centrally.

    Read Also: Anti Malware For Android Phone

    Best Practices To Ensure Mobile App Security

    If you are set for your next project, ensure that you implement the following 8 mobile app security best practices:

  • Write secure codeDevelopers can build mobile app security essentials into every project at the code level. For example simple tactics can prevent the injection of scripts though your apps data entry forms and can substantially strengthen your apps. Use methods such as content controls to limit copy-and-paste actions, and using open in restrictions to prevent your apps from opening dangerous content. Such options can significantly harden your apps against most common security attacks. Some of the tactics listed below such as enhanced authentication, data encryption and jailbreak protection can also help your apps resist attack.
  • Test your codeImplement mobile app security essentials right from the beginning every project e.g. start a project with a security review. Simple tactics such as integrating your software developers and testers in the same business unit can speed bug identification and improve communication. Always test your code in the real world by verifying the download and installation processes used by your app. Penetration testing, network security testing and data security testing can be some of the testing techniques you can adopt.
  • Maps Web Service Apis Or Static Web Apis App Protection Methods

    • Store API keys and signing secretsoutside of your applications source code. If you put yourAPI keys or any other private information in environment variables orinclude files that are stored separately and then share your code, the APIkeys or signing secrets will not be included in the shared files.

    • Store API keys or signing secrets in filesoutside of your application’s source tree. If you store API keysor any other private information in files, keep the files outside yourapplication’s source tree to keep your keys out of your source code controlsystem. This is particularly important if you use a public source codemanagement system, such as GitHub.

    Read Also: Best Android Games With Controller Support

    Share post:

    Popular

    More like this
    Related

    What Is Digital Secure App On Android

    Best Password...

    How To Create Resume On Android Phone

    Build Free...

    How To Develop An App For Android Free

    Android App...

    Drawing Tablet For Android Phone

    Microsoft Surface...