Android Security & User Privacy — Part 1
Security and User privacy are key aspects that will help a product or app succeed. In the case of mobile applications, while platforms do the heavy lifting in terms of security, it is also on us, developers, to secure our product and protect our user’s data. In this brief post, I will talk about what we as developers can do by leveraging platform-provided options properly to enhance the security of our applications.
Before we go further into the details, we have to understand that implementing the level of security depends on your use case. For example, a to-do app need not encrypt all the user’s tasks before saving them to disk. But, if it’s a payment application, it would be wise to save the user’s credit card information in a much more secure manner. With that said, let’s dive deep.
If you are interested in listening, here is the link to this episode:
User Privacy
Let’s begin with User privacy and what we can do to ensure users’ data is secure and private. We need not worry much about this segment as this is something completely in our control. To simply put, if we don’t need it, we don’t access it. Secondly, by following the best practices suggested by the platform, we can ensure the users’ data is safe and gain the confidence of our audience.
Some of the best practices in terms of privacy:
Keep an eye on when and how we access the user’s location.
Whenever we access the location, the user gets notified with an icon in the status bar and the latest versions of both Android and iOS offer options in settings to check which apps have accessed the device location recently. Unlike in the earlier versions, there is no playing around with a user location. Unless it’s a specific use case, we should avoid accessing the location. We should also evaluate the level of location granularity that our app needs. In most of the use-cases, coarse location access should be sufficient.
Pay attention to permissions
One of the key areas where we can gain user confidence is by requesting as minimum permissions as possible. As we keep updating the app with more and more new features, it is important to re-evaluate the permissions that are still relevant and drop the ones which we don’t need anymore. There are some interesting APIs that Android offers in Android 11 onwards, that can audit the data accessed by our apps and the third-party libraries that we include.
Read more: Audit access to data | Android Developers
Unique identifiers that we use to identify users or devices
It is a very common use case in our apps to track or identify a user or device that is used for various analytics. And some of us use the device’s built-in identifiers like IMEI and Serial numbers for this purpose. Of course, as we target Android 10 or higher, accessing them would throw a Security Exception. But in older versions, we should be aware of what’s private to a user and respect that privacy. Android does provide identifiers for nearly all the use cases that fall into these categories that are secure to use. For example, we should use an Advertising ID for user profiling or targeting ads. Android also offers a Secure Android ID to share state between apps that we own without requiring a user to sign in. For almost all the other use cases, we can generate a simple GUID and use it for other analytics purposes.
Apart from these, there are other things to keep in mind like:
- Letting the user know when we collect sensitive data that we intend to use for making the product better or anything similar.
- Nowadays, Android shows an indication in the status bar when the camera or the microphone is accessed. So we should ensure to end the recording sessions properly and it is wise to ask for permission only when a user accesses the feature that requires camera or microphone access.
- Last but not least, avoid logging private data in the logcat messages or the log files of your app.
These are some of the important and basic things to adhere to before publishing our apps to gain users’ confidence about their privacy.
In the part 2 of this post, find out more about how we can improve our app security.
Thank you for reading. If you are interested in topics like these, checkout my podcast on Android Development: ReActivity | Android Developer Podcast
