Guarding Your Android App: A Glance at Android App Security
Design. Code. Secure. Repeat.
We all know that Android is designed for all — open-ended, for developers, for users, and this openness provides you with a lot on mobile technologies for better today and tomorrow. However, with openness also comes security risks that need to be handled properly.
Security is a prime concern for every one of us. Whether it’s our personal data, email, phone numbers, credentials, communications between servers, firmware, and more — we want to keep our information safe.
As an Android developer, it is crucial that you build apps with security in mind from the ground up. Users trust your apps with sensitive data and expect their privacy and security to be respected.
In this blog, I will cover the basics and best practices to follow while we are developing an Android application in terms of security, specifically.
Let’s move ahead to explore what security measures your Android app should seek to implement:
- Protect app and user data
- Protect system resources (including the network)
- Provide app isolation from the system, other apps, and from the user
Secure coding practices
As developers, we knowingly or unknowingly follow certain practices to keep security in mind when building our applications. While there are many specific scenarios to dive into, I’ll cover some of the basics:
- Access control
Access control is a fundamental aspect of application security that plays a critical role in protecting sensitive data and ensuring that only authorized users can interact with an application or its resources. - Password management
Employing multi-factor authentication and other modern password management practices enhances security, prevents phishing, enables secure remote access, and limits data breach impact. - Error handling and logging
These are integral components of application security that are often overlooked. Carefully considering what to log and how to measure a proper error event helps you identify, mitigate, and respond to security incidents quickly. Make sure you are not logging sensitive data that is exposed to error occurrence. - System configuration
Develop a virtue to clear your system of any unnecessary files, folders, and non-usable project components and ensure all working software is updated with current versions and patches. Secure your development and production environment before heading towards the Google Play store release. Practice working on the latest versions of the development platforms and their patches.
Software updates include patches that fix vulnerabilities, making regular updates one of the most vital, secure coding practices. This practice may help your business to keep on top of updates.
- Threat modeling (document, locate, address, and validate)
Certain aspects are analyzed when designing the system architecture, especially evaluating what potential threats exist and how impactful their exploitation would be. Threat modeling is a multi-stage process that should be integrated into different phases of the development life-cycle, but ideally, you should prepare a threat model at the planning phase and refine it throughout the SDLC, such as documenting the threat, locating it, addressing it, and validating it. - Cryptographic practices
There are many cryptographic methods, each with their own pros and cons. The goal is to choose one that fits your specific security needs, implement it as an added control rather than the only one, and continually review and upgrade over time rather than blindly relying on it indefinitely without testing for vulnerabilities that may emerge. Here’s detailed information you’d love to explore. You must already have been following some of them — Refine it. - Input validation
Ever thought if any misleading data input from the user could break the shield of our security? To address this concern, it’s essential to understand not just what to validate but also how to do it effectively. Here are key points to ensure robust input validation:
- Centralized input validation routine for the application
- Expected data types
- Data range/ data length
- Validate data from redirects
- Any validation failures should result in input rejection; there is never a point of an assumption in the programming world.
Best practices to keep in mind
- Disallow access to your app’s content providers.
<provider
android:name="androidx.core.content.FileProvider"
android:authorities="${applicationId}.provider"
android:exported="false" <!-- Key point to include -->
android:grantUriPermissions="true">
<!-- Example Meta data -->
<meta-data
android:name="android.support.FILE_PROVIDER_PATHS"
android:resource="@xml/provider_paths" />
</provider>- Configure network security
Without changing any of your app code, this process could be followed as:
1. Declare your file in manifest.xml .
<manifest ... >
<application
android:networkSecurityConfig="@xml/network_security_config"
... >
<!-- Place child elements of <application> element here. -->
</application>
</manifest>2. What’s in network_security_configthere?
<network-security-config>
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">secure.example.com</domain>
...
</domain-config>
</network-security-config>This enforces to use of only HTTPS content. Also, during the development process, you can opt-in to allow user-installed certificates for debug and staging environments without affecting the final production release version:
<network-security-config>
<debug-overrides>
<trust-anchors>
<certificates src="user" />
</trust-anchors>
</debug-overrides>
</network-security-config>- Mind
android:exportedattribute:
Whatever the component, i.e., activity, broadcast receiver, service, etc., can be launched by the other components of the application.
Iftrue, any app can access the activity and launch it by its exact class name.
Iffalse, only components of the same application, applications with the same user ID, or privileged system components can launch the activity.
Not setting this attribute explicitly carries the risk of having different default values between some devices.
- Implicit intent hijacking
Implicit intent hijacking occurs when a developer mistakenly includes a wildcard entry while invoking an Intent without specifying the fully qualified component name or class name. This oversight could enable a malicious application to register an intent filter, intercepting the intended action. Such misguided activity by the developer can leak sensitive information/data or launch attacker-controlled components.
The right way to invoke the intent is as follows:
val intent = Intent("android.intent.action.CREATE_DOCUMENT").apply {
addCategory("android.intent.category.OPENABLE")
setPackage("com.<YourOrganization>.<YourPakagename>")
setType("*/*")
putExtra("android.intent.extra.LOCAL_ONLY", true)
putExtra("android.intent.extra.TITLE", "<Your Any String>")
}
startActivity(intent)- Prevent Tapjacking and data obfuscation
Tapjacking attacks are used to trick users into performing certain actions.
Risk: Full occlusion
In full occlusion, the attacker overlays the touch area to hijack the touch event. Full occlusion is prevented by settingView.setFilterTouchesWhenObscured(true)in the code. This block touches passed by an overlay. If you prefer a declarative approach, you can also addandroid:filterTouchesWhenObscured="true"the layout file for theViewobject that you want to protect.
Risk: Partial occlusion
In the end, it doesn’t seem to be rocket science to understand and mitigate the Tapjacking. :)
Conclusion
It takes consistent effort and dedication to protect your application from any security vulnerabilities. For more insights on this topic, you can refer to this checklist (keep this handy, you will need this). This checklist is a pro-max resource, covering all key points to ensure a steadfast commitment to security without compromise.
For more updates on the latest development trends, follow the Simform Engineering blog.
