Tips for Developing Secure Android Applications
Security is a major concern while developing mobile applications in today’s era. Here, I list down most common things that developers should take care to protect the application.
- Do not store private or sensitive data on SDCard. To store file on internal storage, use following methods with private mode (Context.MODE_PRIVATE) openFileOutput & openFileInput. If you wants to store data in sdcard then encrypt it. You will find many encryption libraries.
- Restrict WebView to access local data. HTML5 and related technologies have become popular to develop Mobile Web App or Hybrid app. For Hybrid uses WebView to display content from locally store HTML or fetch HTML and other content from the server. Major security concerns for WebView are setAllowFileAccess() and setAllowContentAccess() methods.
- Restrict ContentProvider using exported flag set as false. It’s not the case that every time we develop ContentProvider for data exchange between applications but ContentProvider can be developed for single application or private.
<provider android:exported=”false” android:name=”ContentProvider” android:authorities=”com.example.contentprovider” />
- Do not pass sensitive information through Broadcast & Intent. Use LocalBroadcastManager for broadcast data within process / app. LocalBroadcastManager is available in Support Library V4.
- Don’t print sensitive information in LogCat. Information like web service URL, Username, password, request, etc.
- Don’t process malicious Intents. Before process Intent received in onReceive method of BroadcastReceiver, validate callers package name, action and other information.
- Protect your Service with Permission,To Use exposed flag as false When Service is developed for your app only.
- Remove unnecessary Log before publishing app.
- Make sure that debug mode is false before publish APK.
- For cross app functionality, validate calling application before response.
- Encrypt sensitive data even if you store in internal storage.
- Properly verify server certificate TLS/SSL for HTTPS web call.
- Use NDK whenever you feel that information is not safe in Java code because It can decompile easily. (i.e. Constant).
- Use ProGuard that optimizes, shrinks and obfuscates your code.
- Remove unwanted <user-permission> from AndroidManifest.xml
- Loading classes.dex outside of application is major security risk. DexClassLoader allowed developer to load classes.dex on demand.
Hope you take care of these security tips while developing an application. Your first and foremost concern should always be the security of an application. To deliver best to the user and assure them of a secure app developed is your responsibility as an Android developer. Develop the best, receive the best response, get genuine and loyal users.
Are You Interested to Learn More About Android — Click Here