Security of a mobile application is very important as people depend on their smartphones for everything, from paying their bills to recording their personal health information. With the fast growing adoption of android devices, chances of security attack keeps increasing in an even faster rate.
For that reason android developers have to chip in their genuine effort to make their apps secure, so that their users feel the comfort of being in safe hands.
Security Best Practices
It is completely impossible to make an application 100% secure. Our intention should always be to provide a more secure app which makes it hard for any hacker to break into. Lets walk through some of the improvements we could make to enhance the security of an android app.
Encrypt Stored Data
Encrypting the information stored in device’s local storage is very important. For example, if user’s PII (Personal Identifiable Information) is stored, the data need to be encrypted in such a way that someone illegally accessing it cannot identify to whom it belongs to or make any sense out of it.
The performance aspect need to be considered during encryption. Encrypting and decrypting huge chunks of data will impact the performance heavily. Also, make sure to choose an encryption method which is not vulnerable to known cryptographic attacks.
For Further Reading:
https://proandroiddev.com/secure-data-in-android-encryption-7eda33e68f58
Code Obfuscation
The absence of obfuscation may lead to theft and reuse of the code. It also allows an attacker to understand the client side security measures such as root detection, SSL pinning, business logics etc. which can then be easily bypassed.
It is recommended for an application to use obfuscation techniques such as ProGuard, DexGuard, etc. These tools also optimizes the code in addition to renaming variables, class and method names to non-meaningful names.
For Further Reading:
https://medium.com/androiddevelopers/troubleshooting-proguard-issues-on-android-bce9de4f8a74
https://medium.com/androiddevelopers/practical-proguard-rules-examples-5640a3907dc9
https://guides.codepath.com/android/Configuring-ProGuard
Root Detection & App Tampering Detection
A rooted device allows malicious applications installed to perform actions as a root user which compromises the security of other applications running on the phone and thus may allow malicious application to retrieve sensitive data stored in application sandbox. It also allows attackers to perform static and dynamic analysis of the application.
There are many ways to detect a rooted device from within the app. But it is possible for a hacker to bypass those checks. It is always better to pass the required parameters to the backend and let it decide whether the device is rooted.
Lack of application integrity checks allows an attacker to add malicious code to obtain user credentials and other sensitive data. The tampered application can be distributed over third party application stores and victim could be tricked to use tampered application. It also allows an attacker to bypass all security measures implemented at client side.
I recommend application developers to use Google’s Safety Net Attestation API to implement server-side integrity checks as all the other client side security measures can be easily bypassed. Though, there are many other alternate ways to detect a tampered application and a rooted device. Safety Net Attestation APIs have a quota limit of 10,000 requests per day. It should be respected in the app. If necessary we can even make a request to increase the quota limit.
For Further Reading:
https://developer.android.com/training/safetynet/attestation
https://www.netguru.com/codestories/stay-safe-with-safetynet-attestation-api-in-android
https://www.airpair.com/android/posts/adding-tampering-detection-to-your-android-app
Certificate Pinning / SSL Pinning
This technique is used to protect the app from Man-in-the-Middle (MitM) attack. An attacker can proxy the requests between your app and server if the Certificate Authority is compromised or by installing a self-signed certificate in the user’s device.
We can prevent MitM attack using SSL Pinning/Certificate Pinning/Pinning. SSL Pinning is the process of pinning the SSL Certificate of the required host from within the app. You can either pin a host using its certificate or public key. Whenever you make a call to the server, it will match the server’s SSL certificate or public key to the ones pinned in your app. It should match, so that your app will trust and establish a connection with the server.
In SSL Pinning, the logic of validating the genuinity of the certificate is purely in the client end and it is always inviting for the hacker. Certificate Transparency is better approach to prevent MitM attack.
For Further Reading:
https://appmattus.medium.com/android-security-ssl-pinning-1db8acb6621e
https://mailapurvpandey.medium.com/ssl-pinning-in-android-90dddfa3e051
http://www.codeplayon.com/2020/08/android-security-ssl-pinning/
Certificate Transparency
This is also targeted at preventing MitM attack. Certificate Transparency(CT) is a relatively newer concept which will fill most of the security holes left open by Certificate Pinning technique. CT provides an open framework for monitoring and auditing SSL certificates in nearly real time. Specifically, CT makes it possible to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable Certificate Authority(CA). It also makes it possible to identify certificate authorities that have gone rogue and are maliciously issuing certificates.
A system of public logs is created that seek to eventually record all certificates issued by publicly trusted certificate authorities, allowing efficient identification of mistakenly or maliciously issued certificates.
Some of the libraries available to implement CT in an Android app are Conscrypt, certificate-transparency-java and certificate-transparency-android. The certificate-transparency-android library is android specific. It provides integration with network libraries like Retrofit, Volley, HttpURLConnection, OkHttp, ect and it is very easy to implement.
For Further Reading:
https://developer.ibm.com/solutions/security/blogs/certificate-transparency-for-web-and-mobile-apps/
https://medium.com/babylon-engineering/android-security-certificate-transparency-601c18157c44
Secure Authentication Mechanism
Use highly secure authentication mechanisms to avoid security threats. It is always advisable to use Multi-factor authentication.
The username enumeration vulnerability can be exploited by an attacker to determine the valid users present for the application. An attacker can also perform dictionary/brute-force attack using an automated tool such as Burp Intruder to successfully enumerate the usernames which get him halfway through the process of compromising a user’s account. Further, an attacker can use social engineering techniques, guessing attacks, etc. which may lead to user’s account compromise.
It is recommended that the application should refrain from displaying an inconsistent error message such as “Incorrect username or password” and instead a generic error message should be displayed. In the scenario wherein displaying inconsistent error message is a functional requirement of the application it is recommended that the application must implement proper rate limiters using Google’s reCAPTCHA SafetyNet API or session-specific server-side variable.
For Further Reading:
https://developer.okta.com/blog/2020/04/20/android-authentication
https://blog.rapid7.com/2017/06/15/about-user-enumeration/
Signing with Strong Signature Algorithm
While signing an android application a strong hashing algorithm such as SHA-256 along with RSA-4096 or RSA-2048 should be used. However, SHA256withRSA and other better hashes are only supported on API level 18 and above. Developers have make a trade off between security and compatibility.
It is recommended that developers must use signing scheme v2 over signing scheme v1 as the latter do not properly protect the APK from unauthorized alterations. Signature scheme v2 treats the APK as a blob and performs the signature checking across the entire file. App Bundles should be preferred over APKs.
For Further Reading:
https://source.android.com/security/apksigning
https://github.com/shivsahni/The-Grey-Matter-of-Securing-Android-Applications
Input Validation
Input forms can be used to inject malicious code and access server data. For example, if apps do not restrict the characters a user can enter in a field, hackers can inject malicious scripts and gain access to private information. So, all the user inputs should be thoroughly validated through a powerful validation mechanism. Even if some special characters are required as per use case, the input should be encoded and passed.
For Further Reading:
https://github.com/thyrlian/AwesomeValidation
Webview Hardening
Whenever a webview is used within the app, it should be hardened properly by configuring only the required permissions. The default configuration should not be blindly used. The behavior of a WebView object can be customized using the WebSettings object, which can be obtained from WebView.getSettings(). Major security concerns for WebView are about the setJavaScriptEnabled(), setPluginState(), and setAllowFileAccess() methods.
For Further Reading:
Minimal App Permissions
Only the required permissions should be seeked from the user for any app. Having unwanted permissions might pave way for the attacker to make use of them to compromise the user’s security.
Appropriate Session Expiry
Usually mobile apps have higher session expiry time than browser based apps. But, session expiry should be configured purely based on the use case by keeping security in mind. For example, in a payment or banking app, session should be terminated instantly when there is no user interaction for just minutes (if not seconds). Even for other apps, it is better to authenticate every time when the user reopens the app as intuitively as possible like using fingerprint unlock, face unlock, etc
Server Security
A hacker might try to attack the APIs that are used to communicate with the server. The server must deploy right security measures like API token, rate limiter, etc to prevent these attacks. A good firewall can be employed to counter the server attacks.