The app which is being downloaded from the Play Store must be secure. Insecure can lead to loss of data and make you lose customers. The Play Store app must be secure, and developers consider this factor while designing the app. Android Studio can help developers to ensure security.
Enforce secure communication
The app’s stability can be enhanced by protecting the data exchanged with other apps, websites, etc.
Show an app chooser
An app chooser can be explicitly shown when there is an intent to launch around two possible apps to the user device. This allows users to ensure safer data transfer to the apps they can trust.
Apply for permissions based on signature
If you plan to share information among two apps, you can use signature permissions. They check whether the same signing key signs the apps which access the data. They don’t need user confirmation. This permission provides a secure and streamlined user experience.
(Source: https://developer.android.com/codelabs/android-network-security-config#0)
Disallowing access to the app’s content providers
It is suggested that you don’t send data to other apps downloaded from the Play Store you don’t own. You must disallow other apps from reading the ContentProvider objects of your app. It is an essential factor if the app is fit on devices with Android 4.1.1 (API level 16) or lower. The android:exported attribute of the <provider> element can be true by defaulting on these Android versions.
(Source: https://www.raywenderlich.com/10056112-securing-network-data-tutorial-for-android)
Request for credentials before revealing sensitive information
You must request the user credentials when they try to access the premium content or sensitive data in the app. You can ask for the password / PIN / pattern. Any biometric credential like a fingerprint or facial recognition is ideal too.
Applying network security procedures
We will now discuss how to enhance app security.
Using SSL traffic
There can be instances when the app will communicate with any web server. It must be allowed only if the server has the certificate declared by a renowned Certificate Authority. HTTPS request is straightforward and is an essential consideration for Android development.
Add a network security configuration
If the app uses new CAs, the network’s security settings can be declared in any configuration file. The configuration can be created without any modification to the app code.
If the app utilises new or custom CAs, you can assert your network’s security settings in any configuration file. The process permits you to build the configuration without changing any app code.
For adding any security configuration file to the app, you must go through these steps:
- Declaring configuration in the app’s manifest:
- Add any XML resource file found at res/xml/network_security_config.xml.
- Specifying all traffic to specific domains must use HTTPS through disabling clear-text:
During development, the developers use the <debug-overrides> element to allow certificates to be installed by the user. The element will override the app’s critical security options during the debug and test processes without impacting the app’s release configuration.
Create the trust manager
The chosen SSL checker must not accept all certificates. You can create trust manager for handling the SSL warnings which occur if any of these conditions apply to the use case:
- Communicate using a web server with a certificate which was signed by a custom CA.
- Your device cannot trust the CA.
- You cannot utilise any network security configuration.
WebView objects must be used with care
You must only load the allow listed content in the WebView objects. Moreover, WebView objects in must not allow the users to find the way to the sites, not in your immediate control.
Developers must not facilitate JavaScript interface support except they can fully trust and control content in the WebView objects of the app.
Using HTML message channels
There can be conditions when the app should utilise JavaScript interface assistance on the devices which run on Android 6.0 (API level 23) and higher. In this scenario, it is essential to use HTML message channels. Don’t communicate between your app and any website.
Providing the correct permissions
The Play Store app must ask for the lowest possible number of clearances required for proper functioning. If possible, the app must abandon a few permissions if they aren’t needed anymore.
Using intents to defer permissions
If possible, you should not add permission to the app to finish an action which can be finished in another app. Instead, you must utilise an intent to postpone request to another app with the required permission.
Sharing the information securely across apps
Developers must follow some best practices to share their app’s content with different apps securely:
Enforce write-only or read-only permissions when required.
Provide the clients with one-time access to the information by applying the FLAG_GRANT_WRITE_URI_PERMISSION and FLAG_GRANT_READ_URI_PERMISSION flags.
When you wish to share data, use “content://” URIs, not “file://” URIs. The instances for FileProvider can help.
Safe data storage
The app may need access to critical user data. The users will allow your app to access the data if they believe in your safety processes.
Storing confidential data at the internal storage
The private user data must be stored at the internal storage of the device, which is sandboxed for every Play Store app.
The app need not ask for consent to view these files. Other apps cannot read these files.
If user uninstalls the app, then the device will delete all the files the app had saved in the internal storage.
