Android Mobile App Security Standards
Smartphone penetrating is a witness great evolution in personal and professional life. We see smartphone adoption to increase from 2.1 billion devices in 2016 to 6 billion devices by 2020. Vastly smartphones market is dominated by Google Android Operating System and they have maximum share of smartphone market. It has more than 3.8 million app count has we read this article on playstore.
With such rate of increase in smartphone it becomes imperative to take security measures while designing and developing mobile application.
After all you don’t want to let hackers breach the customer data that will reside in your app and leave a very bad experience of using your App.
It is a prime importance to take security measure in order to safe guard the user data and maintain the privacy of data stored and shared through app. Having said that, as Android OS comes build built in security measure and standards that enables designers & developer to enhance the capibilities and release a more secure mobile application
Android OS has lots of security features like Security at OS through Linux Kernel, Application Sandbox, Android IPC (Inter-process communication) and Application Signing.
In this article, I will let down some of the best practices to follow to build a secure android mobile application.
So let’s get started
Communication through secure protocol
If your app is dependent on the API’s or services to fetch or save data, then all communication from the app to server should happen using secure https connection.
Internal Data storage (Application Sandboxing)
To provide protection to all apps, in layer of protection is added in android, which restricts an app from being able to access the files/resources of another app. This is known as “App Sandbox” . Having said that the App has rights to play or use files within its own assigned unique ID that is assigned by Android OS. This ensures that only the processes associated with the App unique ID can use the resources and data among themselves.
Encryption of data stored in External Storage
Most app designed have default storage of data (if required) in the default app storage directory of the app. Saving of data in default internal app storage has some advantage of application sandboxing however there might be instance that data need to be stored in external storage due to size constraint, although this is highly not recommend since you are putting the user data in risk , however if you have no other option then strictly encrypt the data using cryptography technic available . one of the most popular encryption algorithm used by developer today is AES (Advance Encryption Standard), with the key size of 256 bits.
So make sure you use encryption mechanism and store data in device external storage.
Validate User Inputs
If you app is designed to take inputs from users then it should validate and sanitize the inputs before actually storing or sending the inputs through service/api’s to server database . In some cases the data is first stored in mobile database i.e. SQLite . If you don’t validate then it is very likely that you will end up making your data vulnerable to SQL Injection attacks.
Minimize the number of app permissions
Post the release of Marshmallow, users are asked for Android OS features like camera, message, gallery, contacts and SMS. When App request for permission, user sees the system dialog box, telling user which permission is the app is trying to access. The aim of an app asking for permission is to protect the user’s privacy however depending on the feature, system might grant certain permission automatically. It is always best to keep the number of permission app request to minimum during android development
FCM over SMS
I am sure if you are an android developer, you must have come across the requirement to read SMS in your application for authentication or fetching data based on sms received. Note that most of the developer and business users don’t use the most secure mechanism of using the Push notification provided by Google know as Firebase Cloud Messaging (Initially known as GCM – Google Cloud Messaging) . SMS communication happen through a channel is not safe and also does not provide any level of encryption on the other and using FCM provides us with the option to setup secure channel on FCM cloud using the token mechanism and encryption of data.
Your code security - Obfuscation
Your code released with your app can be seriously comprised if the attacker is able to do reverse engineer and hack into your code and get every access to critical information required in your code. Therefore, it is recommended to use third party to obfuscate your code before releasing in Playstore. It is recommended to use the tool called ProGuard , which is included in Android SDK that will obfuscate and minify your source code.
You can use the Android ProGuard tool to obfuscate, shrink, and optimize your code. Obfuscated code can be more difficult for other people to reverse engineer.
Hope you have got a better understanding on some of the security aspects to be taken care while you are developing mobile app targeting for android OS. Even though the articles talks more about Android OS, some of the basic points mentioned is still applicable for other OS too.
Hope you enjoyed reading the article. Stay tuned for more such insightful articles on Digital Tech Joint.
Do email in case you have any further queries on Mobile App planning, increasing app usage or managing security of complex mobile app for Android native or hybrid app development.
You can reach me on my email address Anthony_das@yahoo.com
Happy to help