Android App Security considerations

1_94zv6KqyFA1uEWGnDoR-gw

The app which is being downloaded from the Play Store must be secure. Insecure can lead to loss of data and make you lose customers. The Play Store app must be secure, and developers consider this factor while designing the app. Android Studio can help developers to ensure security.

Enforce secure communication

Secure Communication - an overview | ScienceDirect Topics

The app’s stability can be enhanced by protecting the data exchanged with other apps, websites, etc.

Show an app chooser

An app chooser can be explicitly shown when there is an intent to launch around two possible apps to the user device. This allows users to ensure safer data transfer to the apps they can trust.

Apply for permissions based on signature

If you plan to share information among two apps, you can use signature permissions. They check whether the same signing key signs the apps which access the data. They don’t need user confirmation. This permission provides a secure and streamlined user experience.

(Source: https://developer.android.com/codelabs/android-network-security-config#0)

Disallowing access to the app’s content providers

It is suggested that you don’t send data to other apps downloaded from the Play Store you don’t own. You must disallow other apps from reading the ContentProvider objects of your app. It is an essential factor if the app is fit on devices with Android 4.1.1 (API level 16) or lower. The android:exported attribute of the <provider> element can be true by defaulting on these Android versions.

(Source: https://www.raywenderlich.com/10056112-securing-network-data-tutorial-for-android)

Request for credentials before revealing sensitive information

You must request the user credentials when they try to access the premium content or sensitive data in the app. You can ask for the password / PIN / pattern. Any biometric credential like a fingerprint or facial recognition is ideal too.

Applying network security procedures

Network Security Policy | Download Scientific Diagram

We will now discuss how to enhance app security.

Using SSL traffic

There can be instances when the app will communicate with any web server. You must allow them only if the server has the certificate declared by a renowned Certificate Authority. HTTPS request is straightforward and is an essential consideration for Android development.

Add a network security configuration

If the app uses new CAs, you can declare the network’s security settings in any configuration file. You can create the configuration without any modification to the app code.

If the app utilises new or custom CAs, you can assert your network’s security settings in any configuration file. The process permits you to build the configuration without changing any app code.

For adding any security configuration file to the app, you must go through these steps:

  • Declaring configuration in the app’s manifest:
  • Add any XML resource file found at res/xml/network_security_config.xml.
  • Specifying all traffic to specific domains must use HTTPS through disabling clear-text:

During development, the developers use the <debug-overrides> element to allow certificates to be installed by the user. The element will override the app’s critical security options during the debug and test processes without impacting the app’s release configuration.

Create the trust manager

The chosen SSL checker must not accept all certificates. You can create trust manager for handling the SSL warnings which occur if any of these conditions apply to the use case:

  • Communicate using a web server with a certificate which was signed by a custom CA.
  • Your device cannot trust the CA.
  • You cannot utilise any network security configuration.

Use WebView objects with care

You must only load the allow listed content in the WebView objects. Moreover, WebView objects in must not allow the users to find the way to the sites, not in your immediate control.

Developers must not facilitate JavaScript interface support except they can fully trust and control content in the WebView objects of the app.

Using HTML message channels

There can be conditions when the app should utilise JavaScript interface assistance on the devices which run on Android 6.0 (API level 23) and higher. In this scenario, it is essential to use HTML message channels. Don’t communicate between your app and any website.

Providing the correct permissions

The Play Store app must ask for the lowest possible number of clearances required for proper functioning. If possible, you must abandon the app a few permissions if you don’t need them anymore.

Using intents to defer permissions

If possible, you should not add permission to the app to finish an action which you can finish it in another app. Instead, you must utilise an intent to postpone request to another app with the required permission.

Sharing the information securely across apps

Developers must follow some best practices to share their app’s content with different apps securely:

Enforce write-only or read-only permissions when required.

Provide the clients with one-time access to the information by applying the FLAG_GRANT_WRITE_URI_PERMISSION and FLAG_GRANT_READ_URI_PERMISSION flags.

When you wish to share data, use “content://” URIs, not “file://” URIs. The instances for FileProvider can help.

Safe data storage

The app may need access to critical user data. The users will allow your app to access the data if they believe in your safety processes.

Storing confidential data at the internal storage

You can store the private user data at the internal storage of the device, which you can sandbox for every Play Store app.

The app need not ask for consent to view these files. Other apps cannot read these files.

If user uninstalls the app, then the device will delete all the files the app had saved in the internal storage.

Leave a Reply

Your email address will not be published. Required fields are marked *