Android Security Checklist
The key aspects of any successful APP project are design , functionality, performance and security. Out of these, the security is often most overlooked.
App Security is not considered important until its too late
In this article we will see how to improve security for some basic use cases , now security requirements are unique for each apps so the solutions to be used can be different but in this article we will discuss the best ways to securely handle some basic use cases
Before we start i would like to say that following this will add more layers of security to your app but by no means are they unhackable , i personally believe that theoretically there is nothing in the world which is unhackable as no matter the amount of security as long as someone has enough skills , resources , patience and determination , they will be able to break through it…
what we can do is add more layers of security so that no average joe can find and exploit vulnerabilities and make it difficult enough that most people with skills but not enough determination will give up due to rewards not being worth the efforts
Storing user Access Token/Refresh Token
In order to securely store user’s accessToken/refreshToken or any other sensitive information which we receive during runtime , earlier we had to encrypt that string and store it in shared preferences but around a year ago google introduced a new way to store data securely in keystore as a part of jetpack , you can read more about it here and here
you can also use this keystore to randomly generate a key during runtime and store it , then it can be used for encrypting/decrypting any data or files
Storing Api /Server / Sdk keys
In order to securely store server / sdk keys or any other data which is to be used in code during compile time , these keys are stored in code during compile time and it is not a good idea to hardcode them as it can be easily extracted by reverse engineering (yes even if you are using proguard/r8 for obfuscation )
There are quite some options for storing such keys in code but the most secure option(excluding paid 3rd party solutions) is storing it in ndk and to add one more layer of security store it in encrypted form in ndk and then decrypt it during runtime
This article nicely demonstrate how to store such keys in ndk
SSL Pinning
This is one of imp thing to do in order to protect against man in the middle attack but do discuss with your backend team before implementing it as it will restrict their capacity to update certificates
There are 3 ways to implement ssl pinning
- via TrustManager
- Using certificatePinner with okhttp for libraries which uses httpClient(eg. Retrofit)
- Network Security Configuration ( only for >24 api)
Database
In android it is extremely easy for an attacker to get the data from database so if possible don’t store any sensitive data in database , If you are storing any such data make sure it is stored encrypted
sql injection is ranked no 1 in top 10 security threats by OWASP , so In order to protect against this attack don’t use unsanitized query in your code , used room library as it is built on sqlite and it offers more flexibility and offers a layer of protection against sql injections if you use it with annotations it will automatically generate sanitised code
Restrict App for Jailbreaked/Rooted devices
Keep this check on your app to not allow any user with rooted device to use your app as allowing your app to run on a rooted device as allowing app to run on such device opens up a huge risk of security loopholes to be exploited by the attacker
These are some of the basic checklist you can use for your app but i would like to say here that a security audit is not a one time activity as there is no exhaustive list of checks that would guarantee 100% security. Regular audits and keeping up with new security threats should be ideal approach.
Thank you for reading! Feel free to say hi or share your thoughts on Twitter @that_kushal_guy or in the responses below!
Also checkout my other article on using Machine Learning with Android
Jetpack Compose with MVVM