DZone
Java Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Java Zone > Simple Tips to Secure Android App

Simple Tips to Secure Android App

Ketan Parmar user avatar by
Ketan Parmar
·
May. 27, 14 · Java Zone · Interview
Like (0)
Save
Tweet
4.12K Views

Join the DZone community and get the full member experience.

Join For Free
Android has security features built into the operating system that significantly reduce the frequency and impact of application security issues but as application developers, its our job to secure an application. The level of security is depends upon application type & domain. There are  few security aspects we need not forget. I am collecting those common tips in this article.

Here, I list down most common things that developers should take care to protect the application.

1. Do not store private or sensitive data on SDCard. To store file on internal storage, use following methods with private mode (Context.MODE_PRIVATE) openFileOutput & openFileInput. If you really wants to store data in sdcard then encrypt it. You will find many encryption libraries. I prefer conceal from facebook.  

2. Restrict ContentProvider using exported flag set as false. It’s not the case that every time we develop ContentProvider for data exchange between applications but ContentProvider can be developed for single application or private.

<provider android:exported="false" android:name="MyContentProvider" android:authorities="com.example.mycontentprovider" />
3. Restrict WebView to access local data. HTML5 and related technologies have become popular  to develop Mobile Web App app or Hybrid app. For Hybrid uses WebView to display content from locally store HTML or fetch HTML and other content from the server.  Major security concerns for WebView are setAllowFileAccess() and setAllowContentAccess() methods.
4. Do not pass sensitive information through Broadcast & Intent. Use LocalBroadcastManager for broadcast data within process / app. LocalBroadcastManager is available in Support Library V4.
5. Don’t print sensitive information in LogCat. Information like username, password, web service URL, request or response, etc detail.

6. Remove unnecessary Log before publishing app.

7. Don’t process malicious Intents.  Before process Intent received in onReceive method of BroadcastReceiver, validate callers package name, action and other information.

8. Protect your Service with Permission. Use exposed flag as  false When Service is developed for your app only.

9. Restrict access to Activities. If the activity is intended solely for the internal use of the app then use exported flag set as false.

<activity android:name=".view.MyActivity" android:exported="false"> </activity>

10.  Make sure that debug mode is false before publish APK.
11. Encrypt sensitive data even if you store in internal storage.
12. For cross app functionality, validate calling application before response.
13. Properly verify server certificate TLS/SSL for HTTPS web call.
14. Use NDK whenever you feel that information is not safe in Java code because It can decompile easily. i.e. Constant.
15. Use ProGuard that shrinks, optimizes, and obfuscates your code.
16. Remove unwanted / unused <user-permission> from AndroidManifest.xml
17. Loading classes.dex outside of application is major security risk. DexClassLoader allowed developer to load classes.dex on demand.
Reference:http://developer.android.com/training/articles/security-tips.html
Email This
mobile app security Android (robot)

Published at DZone with permission of Ketan Parmar, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • How to Utilize Python Machine Learning Models
  • Testing Schema Registry: Spring Boot and Apache Kafka With JSON Schema
  • What Is Lean Software Development
  • Stupid Things Orgs Do That Kill Productivity w/ Netflix, FloSports & Refactoring.club

Comments

Java Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo