best practices in android application security
TRANSCRIPT
Mobile App Security Meet
For most enterprises and consumers today, mobile and cloud security are viewed in a pretty straightforward way — don't assume there is any.
”
Android application best practises
Mobile App Security Meet
Mobile first
”The future of mobile is the future of online. It is how people access online content now.
Mobile App Security Meet
Understanding Android
Android APK
Mobile App Security Meet
Dex file is one of the most remarkable features of the Dalvik VM (the workhorse under the Android system) It does not use Java bytecode. Instead, a homegrown format called DEX
Android programs are compiled into .dex, which are in turn zipped into a single .apk file on the device
AndroidManifest.xml is a powerful file in the Android platform that allows you to describe the functionality and requirements of your application to Android
Mobile App Security Meet
Data on Device
Data on Device
Any data stored on the device should be encrypted
SharedPreferences by android stores the data in plain text
An implementation of SharedPreferences that encrypts data before storage
Data on Device
File view of the shared preference storage in Android
Data on Device
SQLite Storage in Android
Confidential data should be encrypted and stored in the tables
Mobile App Security Meet
Apps in Device
Broadcast Receivers
Use Permissions to send broadcasts to communicate between components
Android Permission model
Use android permissions selectively for defining components in the Manifest file
Mobile App Security Meet
Apps in Device
Custom receiver to listen for broadcasting intents
Sending broadcast intents from an android component
Mobile App Security Meet
Best Practice
Custom receiver to listen for broadcasting intents
Sending broadcast intents from an android component
Mobile App Security Meet
App to Cloud
● Always communicate over HTTPS
● Implement SSL Pinning
● Gzipping the request and response bodies
Mobile App Security Meet
Apps to Cloud
An API call traced by a proxy sitting between the app and the cloud server
Mobile App Security Meet
Best Practice
Gzipping the request body for the API call from the android app
Request body traced by the proxy
Mobile App Security Meet
Best Practice
SSL pinned client for android apps
Mobile App Security Meet
Deployment
Before deploying on playstore use Proguard to obfuscate the code to prevent reverse engineering attacks
Mobile App Security Meet
Thank you