How to secure your Android application?

What is above all in your Android smartphone? Beyond any doubt it is data security. Is there any development tool to implement a reliable authentication method in an Android application? How to be sure that the user’s authorization data is in security? So security on Android was our topic during the latest local Hackathon a few weeks ago and here is briefly what we have learned. Hope these hints will be helpful if you are faced with the following tasks.

Fingerprint ID

Fingerprint scanner first appeared on Android devices long time ago but the majority of users are still afraid of using it because of risk of leakage of their biometrical data. To calm you down we can say that the risk is extremely insignificant: from a third party app it’s just impossible to get user’s fingerprints using an embedded scanner. All the fingerprints for a current device can be added only in the device settings, they’re encrypted, safely stored locally and can’t be exported or sent outside of the device. So a developer can’t create illegal dactyloscopic database and use it for his own needs.

The only thing that a developer can do is extend FingerprintManager.AuthenticationCallback abstract class, pass a child instance to the FingerprintManager’s method authenticate() and get notified whether fingerprint scanning will succeed

cryptoObject — an instance of FingerprintManagerCompat.CryptoObject that wraps Cipher initiated with generated key and used for fingerprint authentication process

cancellationSignal — an instance of CancellationSignal that used to notify FragmentManager that scanning process should be interrupted (due to Activity lifecycle for example)

AuthenticationCallback’s methods aren’t abstract so you can use whichever you need:

Sounds not really complicated and it actually is. For more implementation details you can see this tutorial.

Face Recognition

The vast majority of Android developers as well as the Internet community itself do not clearly distinguish between “Face Detection” and “Face Recognition”. The goal of the first one is to detect whether the part of image (or camera frame) is actually a human’s face. And a quite different task is to recognize whose exactly this face is. Unfortunately face recognition on Android is still carried out by different algorithms of analysis of bitmap. Image processing is one of the most resource-intensive operations so Java is definitely not the environment you want to use for this. On Android only the NDK can provide fast and effective recognition analysis. To reach this goal you can spend years on development of your own algorithm or ask OpenCV for help or any other native library.

Of course the NDK causes significant architectural restrictions but there is something to avoid native code. There are a lot of third party cloud services that can provide face recognition for you. For instance Microsoft Azure. Using it you can make an API call to detect and compare faces instead of local calculations — it guarantees that recognition will be performed regardless of device model and hardware level. And you can wrap it a bit. Use Google Mobile Vision to perform basic face detection, then do recognition API calls in the background, add some fancy animations and nobody can guess that you are cheating :) But the main disadvantage is that these services are chargeable.

Anyway bitmap analysis is hardly as effective as recognition with using of additional sensors (infrared, for instance) which Android devices do not yet have.

Voice Recognition

Here is the similar terms problem as with faces. Speech Recognition is about a recognition of human’s speech to convert it to the char sequences. Voice or Speaker Recognition is a personalized recognition of the voice. Unfortunately Google doesn’t provide any tools for implementation of a second one. But there are two interesting facts:

  • Google Assistant knows how to distinguish voices of different people but this possibility isn’t available for developers for now.
  • Early Lollipop versions of Android had a feature called “Trusted Voice” that allowed a user to unlock his device using his own voice. But in some of updates this feature mystically disappeared.

I hope Google will share the magic of voice recognition with developers soon. For now you can use the same third-party services.

Secure Storage

Passwords, session tokens, recognition hash values — all this in no case can be stored, and even more so, transmitted in explicit form. It’s pretty enough to use Cipher for data encryption. Encryption method is up to your choice. But well known AES and RSA are still extremely safe for usage in the Android applications. With this encryption level you can store your public keys even in SharedPreferences. RSA encryption unlike AES requires a secret key generated and SharedPreferences is not really appropriate place to store it. For private secret keys Android provides Android Keystore System that available since API 18. It is a special secure storage and the key once stored in it can’t be somehow exported back but it still can be used for the encryption/decryption process. Here is a simple example of a utility-class that uses all these technologies to encrypt data:

alias — is an ID of your encrypted string which you can use to access it.

Below is another utility-class to decrypt encrypted data: