Very basic security tips for every Android app
Posted On July 15, 2020
Here you can find some quick tips that will allow you to make your app much safer without adding much work. This should be a standard for every, even the simplest one, app.
Nowadays this is standard and crucial to every communication over the Internet. This doesn’t impact performance but highly boost security thanks to encryption of your data communication.
Use Certificate Pinning
Certificate Pinning allows you to tell your app to trust this domain only if it shows a certificate that is embedded inside your app. Another step that doesn’t add much work, but makes it harder to impersonate as your domain and protect against MITM attacks.
Don’t store passwords or pins
You shouldn’t store these data anywhere. The password should be verified on the server-side and you can store only the session token. If you need to have a local authentication (for example PIN to enter the app) use a hash instead. If hash would leak it will be harder to guess users’ PIN to another app (or even to the Credit Card?). You should choose the proper hash algorithm (PBKDF2, bcrypt or scrypt), and use salt. Don’t trust users that they know about their own security.
Encrypt user data
Nowadays apps collect a lot of personal user data. In Europe, we have GDPR that tells that you have been very careful about sensitive user data but this should be a general approach. Session token from the previous bullet is also sensitive in some way. Having an encrypted device isn’t popular on Android. This device can be stolen or hacked. Also, users sometimes forget to clear their data when they sell the device. Don’t be the one that will allow the attacker to steal your customers’ sensitive data.
To encrypt the database you can use SQLCipher, and for SharedPreferences you can use androidx.security:security-crypto.
Watch out for Android Backup mechanism
Android Backup mechanism is turned on from default on Android. I am not sure if this is a good approach. Backup data are stored on Google Drive and can be easily downloaded. Once again, don’t trust your customers about security, think for them and maybe don’t send their data to cloud that you can’t control. Also when you have encrypted something with Android Keystore it will be not restorable because the cipher key is only for that specific device. We don’t have a sync mechanism for Keystore like iOS and their keychain. A better way to backup your users’ data is to store them on your backend.
Obfuscate the code
This should be obvious but still, there are many apps that aren’t obfuscated in the Play Store. Obfuscation makes your code harder to read and Proguard/R8 is turned on by default for a reason. Without it, everything is clearly readable like an open book. Attackers can easily analyze your app and your backend API. That will allow them to make a clone or hacked versions of your app.
Don’t show backend errors to the user
They will say nothing to the user but can be used by an attacker to analyze your backend API.
Use only necessary permissions
This is tempting to have access to camera, contacts and location. But if you ask for too much permissions users will be more distrustful of you. And there is a possibility that if you have access to something that something can leak. Think twice before requesting for permission.
Please read official Google Developers Security Tips.
If you want to be a real security hardcore read OWASP Mobile Top 10.