Download - Android secure coding
![Page 1: Android secure coding](https://reader034.vdocuments.site/reader034/viewer/2022052705/5880afb11a28abf32c8b61e3/html5/thumbnails/1.jpg)
© Blueinfy Solutions
Secure Coding For Android Applications
![Page 2: Android secure coding](https://reader034.vdocuments.site/reader034/viewer/2022052705/5880afb11a28abf32c8b61e3/html5/thumbnails/2.jpg)
© Blueinfy Solutions
Local Storage - Example
• Remember me option – NOT SECURE WAY
![Page 3: Android secure coding](https://reader034.vdocuments.site/reader034/viewer/2022052705/5880afb11a28abf32c8b61e3/html5/thumbnails/3.jpg)
© Blueinfy Solutions
Token stored
• On local file – NOT SECURE WAY
![Page 4: Android secure coding](https://reader034.vdocuments.site/reader034/viewer/2022052705/5880afb11a28abf32c8b61e3/html5/thumbnails/4.jpg)
© Blueinfy Solutions
Shared Preferences• SHARED PREFERENCE – NOT SECURE WAY
![Page 5: Android secure coding](https://reader034.vdocuments.site/reader034/viewer/2022052705/5880afb11a28abf32c8b61e3/html5/thumbnails/5.jpg)
© Blueinfy Solutions
Writing to file
• When opening file for writing, make sure to open it in private mode as shown below –
String FILENAME = “temp";String string = “token”;
FileOutputStream fos = openFileOutput(FILENAME, Context.MODE_PRIVATE);
fos.write(string.getBytes());fos.close();
![Page 6: Android secure coding](https://reader034.vdocuments.site/reader034/viewer/2022052705/5880afb11a28abf32c8b61e3/html5/thumbnails/6.jpg)
© Blueinfy Solutions
Local Storage – Secure Method
• Encrypt the data using strong encryption, possibly AES
• Do not decrypt the data at client side• Send Encrypted Data to the server• Server decrypts the data before validating it
![Page 7: Android secure coding](https://reader034.vdocuments.site/reader034/viewer/2022052705/5880afb11a28abf32c8b61e3/html5/thumbnails/7.jpg)
© Blueinfy Solutions
Securing Secrets
• AES encryption to store secret information and making secure storage.
• APIs and Libs for it.• Random cookies and keys.• Not to open and shared storage.• Cache and File writing is not enough.• Design level strategy for it.
![Page 8: Android secure coding](https://reader034.vdocuments.site/reader034/viewer/2022052705/5880afb11a28abf32c8b61e3/html5/thumbnails/8.jpg)
© Blueinfy Solutions
Secure Method – Sample Code
![Page 9: Android secure coding](https://reader034.vdocuments.site/reader034/viewer/2022052705/5880afb11a28abf32c8b61e3/html5/thumbnails/9.jpg)
© Blueinfy Solutions
Sending Encrypted in JSON
![Page 10: Android secure coding](https://reader034.vdocuments.site/reader034/viewer/2022052705/5880afb11a28abf32c8b61e3/html5/thumbnails/10.jpg)
© Blueinfy Solutions
Secure
![Page 11: Android secure coding](https://reader034.vdocuments.site/reader034/viewer/2022052705/5880afb11a28abf32c8b61e3/html5/thumbnails/11.jpg)
© Blueinfy Solutions
Cache with WebView
• By default, webView control caches all request and response
• Some of the filenames are – – webviewCache.db– webview.db-shm– webview.db-wal– webviewCookiesChromium.db– webviewCookiesChromiumPrivate.db– imagecache.db
![Page 12: Android secure coding](https://reader034.vdocuments.site/reader034/viewer/2022052705/5880afb11a28abf32c8b61e3/html5/thumbnails/12.jpg)
© Blueinfy Solutions
Sample code to clear the cache
![Page 13: Android secure coding](https://reader034.vdocuments.site/reader034/viewer/2022052705/5880afb11a28abf32c8b61e3/html5/thumbnails/13.jpg)
© Blueinfy Solutions
SSL Implementation
• Application sends request to server over SSL (Secure Way)
• Most application fails to handle SSL certificate validation error on the client side
• Only certificate from the OWNER server and sub-domain should be allowed
![Page 14: Android secure coding](https://reader034.vdocuments.site/reader034/viewer/2022052705/5880afb11a28abf32c8b61e3/html5/thumbnails/14.jpg)
© Blueinfy Solutions
Verify SSL Server – Sample Code
![Page 15: Android secure coding](https://reader034.vdocuments.site/reader034/viewer/2022052705/5880afb11a28abf32c8b61e3/html5/thumbnails/15.jpg)
© Blueinfy Solutions
Copy/Paste in the text fields
• Services are shared between all the applications
• Attacker can write malicious program to monitor clipboard to get access to sensitive data if copy/paste is not disabled
• Copy/Paste must be disabled on the sensitive fields
![Page 16: Android secure coding](https://reader034.vdocuments.site/reader034/viewer/2022052705/5880afb11a28abf32c8b61e3/html5/thumbnails/16.jpg)
© Blueinfy Solutions
Screenshot in temporary files
• Pressing HOME button takes screenshot of the last screen and saves it in local storage
• To disable this, manifest file needs to be updated under Activity Tag
![Page 17: Android secure coding](https://reader034.vdocuments.site/reader034/viewer/2022052705/5880afb11a28abf32c8b61e3/html5/thumbnails/17.jpg)
© Blueinfy Solutions
Protecting IP
• Unlike iOS, there is no encryption supported by android platform
• Possible to Decompile binary and get access to source code
• “ProGuard” can be leveraged to protect against Decompile
![Page 18: Android secure coding](https://reader034.vdocuments.site/reader034/viewer/2022052705/5880afb11a28abf32c8b61e3/html5/thumbnails/18.jpg)
© Blueinfy Solutions
Code Analysis with AppCodeScan
• Semi automated tool• Ability to expand with custom rules• Simple tracing utility to verify and track
vulnerabilities• Simple HTML reporting which can be
converted to PDF
![Page 19: Android secure coding](https://reader034.vdocuments.site/reader034/viewer/2022052705/5880afb11a28abf32c8b61e3/html5/thumbnails/19.jpg)
© Blueinfy Solutions
Sample Rules - Android
![Page 20: Android secure coding](https://reader034.vdocuments.site/reader034/viewer/2022052705/5880afb11a28abf32c8b61e3/html5/thumbnails/20.jpg)
© Blueinfy Solutions
Conclusion