If you have not heard of Android recently, then I bet you are still living in the past. As a Linux based open source mobile operating system from Google, it has truly revolutionized the mobile world. Let us look at some statistics. In 2014, worldwide shipments of Android packed phones exceeded 1 billion units for the first time ever. This was much higher than iOS, which happened to manage around 192.7 million worldwide shipments in 2014. In consequence, the android apps store has around 1.6 million apps, which makes android apps development a thriving business around the world.
Android app development is not always a straightforward process. The android SDK is available free, but android app development could take you on a circuitous path. Despite developing for Android, you could end up in a troubling scenario. With several flavors of android available and a vast array of android devices, what works on one android phone of a particular manufacturer might not work on a phone of another manufacturer.
At the same time, the security of android devices can be compromised. Hence, let us learn what can be done to implement security features that will not only increase the safety of your android applications but also improve the quality of the android application development in your organization:
1. Avoid exporting components: Avoid exporting components except when necessary. This is done in order to reduce the attack surface of the application. You can use intent filters, but these cannot be completely relied upon for complete protection of exported components. This is because a crafted intent that uses fully qualified component names has the tendency to bypass intent filters.
2. Be careful of what the application stores on the mobile device: You should be careful of what the application stores on the mobile device. Be careful of parameters such as what is logged and cached, and what is stored within the structured data. Generally, SQLite is used by mobile platforms for structured data storage. In case, such file content is not encrypted, simple Linux commands can pull information within these files, once someone accesses the file system. Common vulnerabilities include insecure storage of user credentials and even the passwords within the SQLite data or even the system cache.
3. Use encrypted communication: For SSL/TLS use, it is always advisable to use encrypted communication with the backend application server. It is now mandated that all certificates must have a 2048-bit key length. This is because a 1024-bit key length is now a weaker method of encryption, which is because of the technology in use currently. A good example of enhanced security and best practice is the use of certificate pinning, which is a new trend in mobile application development.
4. All user input should be treated as un-trusted: As is the case with web applications, all user input should be treated as un-trusted. Here, android applications are no different. You need to handle various issues such as cross-site scripting (XSS), JSON/XML injection, SQL and OS command injections. These need to be handled by both the client as well as the backend application server. As a piece of good advice, avoid using classes with known vulnerabilities in the application code.
5. Avoid storing sensitive data: Avoid storing sensitive data on the android device during run time as much as possible. This will discourage mobile app hackers and dissuade them from messing up with your mobile application. The idea is to process data in case of need and delete it immediately when not needed. Data that is needed should be encrypted on the device. Store the password securely in KeyStore for Android.
6. Go through obfuscation: It is extremely essential that android apps go through obfuscation. In case script files are used as part of the app, these files should be taken through the obfuscation process as well. The key that is used in the encryption should also be encrypted. It should be stored in secure storage and the installation file should be obfuscated. It is also a good idea to avoid downloading the encryption key from the server during the run time.
7. Avoid excessive permissions: Avoid excessive permissions for android apps. Edit only those permissions, which are absolutely needed. Do not use permissions such as ‘access to contacts’ that access personal information, which should be a strict no-no. This is to avoid anything from going wrong incase there is a data breach.
Hence, no security measure can be indeed secure and provide foolproof security for your android application. This means that an in-depth approach is essential for your android mobile security, which should include a good mobile application development life cycle that includes multiple protection layers. Assess your mobile using a rigorous security assessment checklist so that you can identify any vulnerability that could be present with the android mobile application.