Android Security & User Privacy — Part 2
Security and User privacy are key aspects that will help a product or app succeed. In the case of mobile applications, while platforms do the heavy lifting in terms of security, it is also on us, developers, to secure our product and protect our user’s data. In this brief post, I will talk about what we as developers can do by leveraging platform-provided options properly to enhance the security of our applications.
Before we go further into the details, we have to understand that implementing the level of security depends on your use case. For example, a to-do app need not encrypt all the user’s tasks before saving them to disk. But, if it’s a payment application, it would be wise to save the user’s credit card information in a much more secure manner. With that said, let’s dive deep.
If you are interested in listening, here is the link to this episode:
App Security
In the first part of this post, we have seen how we can improve user privacy in our apps, now let us focus on improving app security.
Secure your Network Connections
The first and foremost point that I want to discuss in this section is secure network connections. It’s 2022 and it is almost a sin to run your server or connect to a server that only offers HTTP endpoints. When services like Let’s Encrypt are available for free of cost, there is no reason not to enable SSL for your endpoints. It is very easy to monitor traffic with the plethora of tools available for free. In case you haven’t already, take a couple of days and enable SSL on your server. If the application’s security is crucial, we can also consider adding Certificate Pinning to avoid man in the middle attacks. Android also provides network security configuration that allows us to configure custom CAs and even self-signed certificates.
Read more: Network security configuration | Android Developers
Store sensitive data securely
For most of the use cases, we can save the data generated by the app in the internal storage of the device which is private and sandboxed to our app. A typical example of this would be our databases, cache directory and shared preferences. While in modern devices this is secure, a rooted device would give away this storage access to the user or the other apps. Hence we should consider encrypting sensitive data like access tokens and secrets. Jetpack provides an encryption library to encrypt both shared preferences and files and makes it super easy to implement.
Read more: Security | Android Developers
Safeguard against Security Threats
While we are on the topic of rooted devices, let’s talk about what we can do on that front. Encrypting app’s tokens before storing them would reduce the risk in the case of rooted devices. However, if your application needs more security, say a banking application or an enterprise application, you would want to check if the device is safe to install your app. For this exact use case, Google offers a bunch of APIs under the SafetyNet Library. It has four different offerings:
- Attestation API for checking the device integrity. This API will not just check the root access status, but also does the other integrity checks like if the device has a custom ROM or the bootloader is unlocked etc.
- Safe Browsing API to check if any specific URL the app is connecting to is malicious
- reCAPTCHA API that helps in avoiding malicious traffic and avoid attacks like DDOS
- Verify apps API, which can check if there are any malicious apps on the device before enabling certain features of the app.
Overall this is a powerful library, solving these specific use cases that would be hard to achieve otherwise. Apps that need this level of secure environment can leverage this offering and improve their security.
Read more: Protect against security threats with SafetyNet | Android Developers
Protect against Reverse Engineering
One last topic that I want to discuss is about keeping sensitive data in the code. We must be aware that reverse engineering is relatively easy on Android than on the other platforms. So we should keep in mind that our code would be available for other developers to read. But we can make it difficult to break into. The first step in this direction would be obfuscating our code. By enabling R8 in our project we can not only obfuscate the code but also shrink unused code and resources and optimize the code to reduce the DEX file size. I have also seen developers who put sensitive data in the native C++ layer of the code which makes it, even more, harder to reverse engineer. But the best way is to avoid keeping sensitive data in the code.
These are some of the important topics that can improve the security of the app. There is an extensive guide on the Android developers portal about all the best practices for user privacy and security. It offers other suggestions like granting one-time permission while sharing a resource between apps, how to use new scoped storage access and many more. Make sure to read that section for more tips.
Thank you for reading. If you are interested in topics like these, checkout my podcast on Android Development: ReActivity | Android Developer Podcast
