Andriod is a Linux-based operating system and hence it provides many security features. For example, it has built-in security features like application sandboxing, protection against buffer and integer overflows, and a separate area for program instructions and data. An Android app that is simple, like it does not perform any file system or networking operations, is often considered as secure by default. Please read an article on Android for getting a full understanding of security.
If one is developing a more complex app, it is the developers’ responsibility to make it secure and protect the privacy of the end-users. In this article, I am going to list some of the best practices one can follow to design or build a secure Android app.
- Ways to design an Android app for security
- 1. Use Internal Storage for Sensitive Data in Android
- 2. Encrypt Data on External Storage
- 3. Use Intents for IPC
- 4. Use HTTPS in Android
- 5. Use GCM or Firebase Instead of SMS in Android
- 6. Avoid Asking for Personal Data
- 7. Validate User Input in Android
- 8. Use ProGuard Before Publishing in Android
- 9. Watch what you print in LogCat in Android
- 10. Keep your dependencies up to date
- To sum up
Ways to design an Android app for security
1. Use Internal Storage for Sensitive Data in Android
Every Android app has an internal storage directory associated with it whose path is mapped to the package name of the app. The file inside this directory is very secure. This because they use the MODE_PRIVATE file creation mode by default. Hence, another application cannot access this file. Therefore, it is best to store sensitive data for the app in the internal storage directory.
2. Encrypt Data on External Storage
The internal storage capacity of an Android device is sometimes limited. Therefore, at times, we might have no choice but to store sensitive data on external storage media, such as a removable SD card.
The data on external storage can be directly accessed by both users and other apps on the device. So, it is important that you store it in an encrypted format. The famous encryption algorithms used by developers today is AES, short for Advanced Encryption Standard, with a key size of 256 bits.
Other than the Android SDK, Facebook’s Conceal library acts as an easy-to-use third-party library that helps in obfuscation.
3. Use Intents for IPC
Experienced programmers who are new to Android application development often use sockets, named pipes, or share files to asynchronously communicate with other apps installed on an Android device. This approach is not very secure and it is prone to threats. The intent feature of Android helps in securing the process of Interprocess communication.
4. Use HTTPS in Android
All the communications between the app and the servers must be over HTTPS. Android users connect to several open, unsecured Wi-Fi hotspots in public areas every day. Some of them may be malicious and can alter the HTTP traffic which will make the app behave in an unexpected way.
If the server is configured with the certificate issued by a trusted certificate authority, such as DigiCert or GlobalSign, one can be sure that the network traffics is secure against both eavesdropping and man-in-the-middle attack.
If the Android app has a lot of networking code and one is afraid that it might send some data as cleartext then it is best to use nogotofail, an open-source tool built by Google to find such mistakes.
5. Use GCM or Firebase Instead of SMS in Android
During Pre-GCM days, short for Google Cloud Messaging, many developers were using SMS to push their data from the server to their apps. Today, this practice is largely gone. It is better to switch from SMS to GCM if you still have not made the switch. This is because SMS protocol is neither encrypted nor safe against spoofing attacks. More so, an SMS can be read by any app on the user’s device that has READ_SMS permission. GCM is a lot more secure and is the ideal way to push messages. All GCM communications are encrypted. Since GCM has been deprecated since April 2018, Firebase cloud messaging is used. It is a cross-platform messaging solution that lets you reliably send messages at no cost.
6. Avoid Asking for Personal Data
Users’ privacy is given a lot of importance these days. By the way, there are laws, such as the European Union’s Data Protection Directive and Canada’s Personal Information Protection and Electronic Documents Act, which mandate the protection of the privacy of a user. Therefore, one should stop asking for it in the App itself. There are ways suggested like the Google Identity platform through which you can log into your app. The following details of the users like profile photo, e-mail ID, user name, etc will be provided to the app. Alternatively, one could use free services like Firebase that can manage user authentication for you.
7. Validate User Input in Android
It is very important to validate user inputs. On Android, invalid user input doesn’t mostly lead to security issues like buffer overruns. But, It is better to make use of parameterized queries. Otherwise, it may lead to SQL injection attacks.
8. Use ProGuard Before Publishing in Android
If the attackers are able to get their hands on the source code of an App then security measures built-into an Android App can be severely compromised. Before publishing the app, it is recommended to make use of tools called ProGuard, to obfuscate and minify the source code.
9. Watch what you print in LogCat in Android
Every developer uses LogCat to for debugging the application. It may contain sensitive information like service URLs, response body, usernames, crashes, etc. It is better to remove these log statements when they release the APK.
10. Keep your dependencies up to date
All of us use third-party libraries to achieve tasks like networking, loading images from the network, database, etc. These libraries need to be updated for new fixes, new functionality, etc.
To sum up
In a nutshell, Android is a secure operating system. While designing or developing an app it is better to follow the above best practices so that the device can remain secure from any malware attacks.
Would you like to know about the accounting software for small business? Click here.
- 12 Tips to Optimize Your WordPress Blog for the Best Performance - December 11, 2020
- How To Improve Readability of WordPress Blogs? - November 25, 2020
- A WordPress definitive guide: How to blog using WordPress? - November 21, 2020