Entersoft Essentials: Security Guidelines to Secure Your Android App
Insufficient security standards at any industry helps it be difficult to manage security controls within an application level. Developing a strong security checklist available not only improves app security nevertheless the ecosystem active in the development process, as well. Also, robust security standards and well set guidelines differentiate a platform through the others.
This checklist can help you turn into a leading marketplace regarding application security.
1. SSL implementation check
Checking SSL implementation is vital to numerous apps. This protects the app from MITM attacks plus secures communication relating to the mobile app and server.
2. Sensitive information management at client side
An application should not store sensitive information like encryption keys, username, passwords in shared preferences, files etc in local pool or memory. Just in case a credit application stores sensitive information in the database, encrypting the database with SQLCipher library is advised. Sensitive information ought to be accounted for as the app is uploaded to the market place.
3. Code obfuscation
Strong code obfuscation standards needs to be set up. Applications should encrypt or obfuscate the code in order to avoid reverse engineering.
4. Obsolete cryptographic libraries identification
Apps must always make use of the latest cryptographic algorithms which can be safe and recommended. App developers must avoid using their very own implementation of cryptography.
5. Validation checks at both client side and server side
Sometimes developers perform validations limited to your client side. This leaves the server susceptible to MITM attacks. Look for input validations at all possible scenarios.
6. Input sanitisation
Sanitise the person inputs to free them from malicious characters. Apps should use whitelisting to generate a list of allowable characters.
7. Encode and decode
Apps should always work with a standard encoding for encoding user inputs from client side and implement the decoding mechanism to decode the data at the client that is sent in the server side. All encoding and decoding standards will probably be tested.
8. Implement checksums and tokens
A best practice for developers is usually to implement checksums around the data that is passed from client to the server to discover the integrity with the data. Implement tokens to protect the app from CSRF attacks.
9. Secure response headers
Pay attention to implementation of secure response headers.
10. Authorisation testing
Test authorisation at each level. Apps must have resources on the server side properly configured based on the user roles inside the application.
11. Session management
Sessions ought to be properly carried out avoid session based attacks. Developers should generate random sessions and ensure the sessions are terminated after having a particular time period or after inactive usage. It is important to check for the expiration of sessions after logout or the previous session bring account takeover.
12. Protect the OS components
A checklist to check the exported=false to the components in android application if it is not desired for the other applications to have interaction using the components in your app.
13. Implementing password policy
Most mobile apps still take advantage of weak password policies. Utilizing a minimum password amount of 8 and making certain the password contains a minumum of one numeric, one uppercase, one lowercase, one special character will ensure security at human level.
14. Implement Captcha
In order to avoid brute force attacks, apps should implement reCAPTCHA from google.