Android: How to design an android app for security

Andriod is a Linux-based operating system and hence it provides many security features. For example, it has built-in security features like application sandboxing, protection against buffer and integer overflows, and a separate area for program instructions and data. An Android app that is simple, like it does not perform any file system or networking operations, is often considered as secure by default. Please read an article on Android for getting a full understanding of security.

If one is developing a more complex app, it is the developers’ responsibility to make it secure and protect the privacy of the end-users. In this article, I am going to list some of the best practices one can follow to design or build a secure Android app.

Ways to design an Android app for security

1. Use Internal Storage for Sensitive Data in Android

Android: internal storage
Picture source: Pixabay

Every Android app has an internal storage directory associated with it whose path is mapped to the package name of the app. The file inside this directory is very secure. This because they use the MODE_PRIVATE file creation mode by default. Hence, another application cannot access this file. Therefore, it is best to store sensitive data for the app in the internal storage directory.

2. Encrypt Data on External Storage

Android: External memory
Picture source: Pixabay

The internal storage capacity of an Android device is sometimes limited. Therefore, at times, we might have no choice but to store sensitive data on external storage media, such as a removable SD card.

The data on external storage can be directly accessed by both users and other apps on the device. So, it is important that you store it in an encrypted format. The famous encryption algorithms used by developers today is AES, short for Advanced Encryption Standard, with a key size of 256 bits.

Other than the Android SDK, Facebook’s Conceal library acts as an easy-to-use third-party library that helps in obfuscation.

3. Use Intents for IPC

Andriod: Communication between apps.
Picture source: Pexels

Experienced programmers who are new to Android application development often use sockets, named pipes, or share files to asynchronously communicate with other apps installed on an Android device. This approach is not very secure and it is prone to threats. The intent feature of Android helps in securing the process of Interprocess communication.

4. Use HTTPS in Android

Android:HTTPS connection
Picture source: Pexels

All the communications between the app and the servers must be over HTTPS. Android users connect to several open, unsecured Wi-Fi hotspots in public areas every day. Some of them may be malicious and can alter the HTTP traffic which will make the app behave in an unexpected way.

If the server is configured with the certificate issued by a trusted certificate authority, such as DigiCert or GlobalSign, one can be sure that the network traffics is secure against both eavesdropping and man-in-the-middle attack.

If the Android app has a lot of networking code and one is afraid that it might send some data as cleartext then it is best to use nogotofail, an open-source tool built by Google to find such mistakes.

5. Use GCM or Firebase Instead of SMS in Android

Android: Firebase messaging
Picture source: Firebase

During Pre-GCM days, short for Google Cloud Messaging, many developers were using SMS to push their data from the server to their apps. Today, this practice is largely gone. It is better to switch from SMS to GCM if you still have not made the switch. This is because SMS protocol is neither encrypted nor safe against spoofing attacks. More so, an SMS can be read by any app on the user’s device that has READ_SMS permission. GCM is a lot more secure and is the ideal way to push messages. All GCM communications are encrypted. Since GCM has been deprecated since April 2018, Firebase cloud messaging is used. It is a cross-platform messaging solution that lets you reliably send messages at no cost.

6. Avoid Asking for Personal Data

Android: user privacy
Picture source: Pixabay

 Users’ privacy is given a lot of importance these days. By the way, there are laws, such as the European Union’s Data Protection Directive and Canada’s Personal Information Protection and Electronic Documents Act, which mandate the protection of the privacy of a user. Therefore, one should stop asking for it in the App itself. There are ways suggested like the Google Identity platform through which you can log into your app. The following details of the users like profile photo, e-mail ID, user name, etc will be provided to the app. Alternatively, one could use free services like Firebase that can manage user authentication for you.

7. Validate User Input in Android

Android: user input verification
Picture source: Pexels

It is very important to validate user inputs. On Android, invalid user input doesn’t mostly lead to security issues like buffer overruns. But, It is better to make use of parameterized queries. Otherwise, it may lead to SQL injection attacks.

8. Use ProGuard Before Publishing in Android

Android: Guard
Picture source:Pixabay

If the attackers are able to get their hands on the source code of an App then security measures built-into an Android App can be severely compromised. Before publishing the app, it is recommended to make use of tools called ProGuard, to obfuscate and minify the source code.

9. Watch what you print in LogCat in Android

Log cat
Picture source: Android developers

Every developer uses LogCat to for debugging the application. It may contain sensitive information like service URLs, response body, usernames, crashes, etc. It is better to remove these log statements when they release the APK.

10. Keep your dependencies up to date

software library
Picture source: Pexels

All of us use third-party libraries to achieve tasks like networking, loading images from the network, database, etc. These libraries need to be updated for new fixes, new functionality, etc. 

To sum up

In a nutshell, Android is a secure operating system. While designing or developing an app it is better to follow the above best practices so that the device can remain secure from any malware attacks.

Would you like to know about the accounting software for small business? Click here.

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments