android secure coding

© Blueinfy Solutions

Secure Coding For Android Applications

© Blueinfy Solutions

Local Storage - Example

• Remember me option – NOT SECURE WAY

© Blueinfy Solutions

Token stored

• On local file – NOT SECURE WAY

© Blueinfy Solutions

Shared Preferences• SHARED PREFERENCE – NOT SECURE WAY

© Blueinfy Solutions

Writing to file

• When opening file for writing, make sure to open it in private mode as shown below –

String FILENAME = “temp";String string = “token”;

FileOutputStream fos = openFileOutput(FILENAME, Context.MODE_PRIVATE);

fos.write(string.getBytes());fos.close();

© Blueinfy Solutions

Local Storage – Secure Method

• Encrypt the data using strong encryption, possibly AES

• Do not decrypt the data at client side• Send Encrypted Data to the server• Server decrypts the data before validating it

© Blueinfy Solutions

Securing Secrets

• AES encryption to store secret information and making secure storage.

• APIs and Libs for it.• Random cookies and keys.• Not to open and shared storage.• Cache and File writing is not enough.• Design level strategy for it.

© Blueinfy Solutions

Secure Method – Sample Code

© Blueinfy Solutions

Sending Encrypted in JSON

© Blueinfy Solutions

Secure

© Blueinfy Solutions

Cache with WebView

• By default, webView control caches all request and response

• Some of the filenames are – – webviewCache.db– webview.db-shm– webview.db-wal– webviewCookiesChromium.db– webviewCookiesChromiumPrivate.db– imagecache.db

© Blueinfy Solutions

Sample code to clear the cache

© Blueinfy Solutions

SSL Implementation

• Application sends request to server over SSL (Secure Way)

• Most application fails to handle SSL certificate validation error on the client side

• Only certificate from the OWNER server and sub-domain should be allowed

© Blueinfy Solutions

Verify SSL Server – Sample Code

© Blueinfy Solutions

Copy/Paste in the text fields

• Services are shared between all the applications

• Attacker can write malicious program to monitor clipboard to get access to sensitive data if copy/paste is not disabled

• Copy/Paste must be disabled on the sensitive fields

© Blueinfy Solutions

Screenshot in temporary files

• Pressing HOME button takes screenshot of the last screen and saves it in local storage

• To disable this, manifest file needs to be updated under Activity Tag

© Blueinfy Solutions

Protecting IP

• Unlike iOS, there is no encryption supported by android platform

• Possible to Decompile binary and get access to source code

• “ProGuard” can be leveraged to protect against Decompile

© Blueinfy Solutions

Code Analysis with AppCodeScan

• Semi automated tool• Ability to expand with custom rules• Simple tracing utility to verify and track

vulnerabilities• Simple HTML reporting which can be

converted to PDF

© Blueinfy Solutions

Sample Rules - Android

© Blueinfy Solutions

Conclusion