Security in Android — Cheatsheet
There are different levels of security on Android. Basically, we should protect app, user data and system resources like internet connection. Android is more and more secure with each new version, which is good news, but on the other hand, some old Android versions do not support a few security features.
Secure app
Reverse engineering on Android is pretty easy, so we ought to be aware that our code is available to read for other developers, but there are ways to make it more difficult to break.
We should definitely add obfuscation, which creates code that is difficult for humans to understand. To that end, we used ProGuard, now superseded by R8.
There are also different ways to hide sensitive data in Android applications, but each of them can be broken. Therefore we have to remember that we must not put any sensitive data in our code.
Protect user data
The next problem besides reverse engineering is rooted devices, which allow checking all data in device storage, even data in an internal app storage area. Fortunately, there is an option to check if the device is rooted.
There are different tools for checking this state. The easiest way is to use from Crashlytics that provides a method for it. Unfortunately, its implementation is very simple and only checks access to a specific file directory which can be easily manipulated.
CommonUtils.isRooted(context)A better and more advanced option is to use SafetyNet API, which provides a set of services and APIs that help protect our apps against security threats, including device tampering, bad URLs, potentially harmful apps, and fake users. You can simply add SafetyNet as a dependency:
implementation 'com.google.android.gms:play-services-safetynet:17.0.0'Then, implementing a request to get a response from SafetyNet like:
And verifying values ctsProfileMatch and basicIntegrity.
Ok, now we know if the device is rooted. What can we do more? One option is to warn the user that he/she has rooted the device and it is not safe. The second option is to restrict the use of an app on rooted devices.
Another scenario is when somebody lost his/her phone. If we want to protect user data, we should enable the option to lock access to the app. For example, we can add additional protection levels to have access to the Android app, like adding a password or fingerprint authentication.
The next topic is related to data storage. Data kept in a device is safe until somebody digs around it. If the attacker has access to the device, the user can rely on system security. Despite it, we definitely should not keep non-encrypted data. There are several tools to encrypt data, some of them are more or less advanced. For those problems, Google released Jetpack component for security. Unfortunately, it is still in alpha version, which means it is not production-ready, so we have to be patient.
implementation "androidx.security:security-crypto:1.0.0-alpha02"For more information check this page.
Safe Internet connection
We should definitely use API supporting HTTPS with TLS protocol.
Moreover, we should use one of the trusty authorization protocols (e.g. OAuth 2.0). Obviously, work here has to be done by both — mobile and backend developers. An additional thing which we should enable users is an option to invalidate session on the other devices.
Otherwise, there is always a risk that a user can use an unsafe Internet connection. Of course, we can say it is the user’s fault, but for sure we should not send sensitive data without encryption, especially user login and password, which can be used in different services.
Furthermore, we can add a solution like Certificate Pinning or Certificate Transparency which are ways to protect against the MitM attack.
More security
There are additional things which we can do to make the app more safety. First, let’s think about authorization. A great and popular solution is 2-step verification. We can add one-time passcode authentication. It does not replace normal login, but it is an additional step. You can use for it different code generators like Google Authenticator. Moreover, a good practice is to make it optional for users. A similar option is to add this verification for crucial operations in the app like transferring money
Conclusions
Attackers have a lot of possibilities to hack our apps, but thankfully we have several ways to protect them. I mentioned 4 big areas of security on Android like:
- reverse engineering
- rooted devices
- unsafe connection
- lost devices
There a few things which we have to remember:
- do not keep any sensitive data in your code
- inform the user about the rooted device
- encrypt data stored in device memory & sent to a server
- use HTTPS and trusty authorization protocol
Check out also my text about Communication between Activities and Fragments.
If you find out something useful from my articles, give me 👏🏼 and follow me.
