Effective android security
Because all Apps deserve security

     Tips borrowed/stolen from various resources for better purpose.

Cover-Image

Android Platform

Android is open source and designed with a flexible multilayer. Android seeks to be a secure platform for the users, thus Android seeks to

To accomplish a secure application, Android provides:

Read list


Linux Security

Android is built on linux kernel and it’s been around for a long time, because of that linux kernel has been maintained and fixed and made stable. Linux kernel provides several key security features:

Linux is a multiuser operating system and linux kernel isolate user resources from another one another for the security reasons. Linux aim to protect user data, thus linux:

Read list


The Application Sandbox

The android platform uses the linux user-based protection model to isolate one application from the another. In linux, multiple applications can run with the same user permission. But android assigns a unique user id (UID) to each application and run it in a separate process. Each application is like a user

This sets up a kernel-level Application Sandbox. The kernel enforces security between the applications and system at the process level by using linux features. By default, applications cannot interact with eachother and they have limited access to system resources.

The application sandbox is in kernel, thus it extends to native code and operating system applications as well. All runs within the application sandbox


Personal Information

Access to sensitive user data is available only through protected APIs

Read list

SIM Card Access

Low level access to the SIM card is not available to third-party apps. The OS Handles all communication with the SIM Card.

Read list


Cost Sensitive APIs

Cost sensitive means using them might generate cost, thus android provides a protection in OS level. Applications must grant explicit permission to use these APIs.

Tips:

Read list


Sensitive Data Input Devices

Applications must grant an explicit permission to use input devices such as:

Read list


Device Metadata

Device information might contains user information, thus applications must grant to access :

Read list


* Application Signing

Tips:

Read list


Storing Data - Internal Storage

Read list


Storing Data - External Storage

Read list


* Storing Data - Content Providers

A structured storage mechanism. You must register it within manifest file.

Tips:


Read list


Shared Preferences

Read list


Android Resources/Assets

Read list


Using Permissions

Read list


Using IP Networking

Read list


Using Telephony Networking

Read list


Performing Input Validation

Insufficient input validation is one of the most common security problems affecting applications, regardless of what platform they run on.

Read list


Handling User Data

Read list


Using WebView

Read list


Handling Credentials

Read list


Using cryptography

Read list


Using Interprocess Communication

Read list


Using Broadcast Receivers


Read list


Using Services

A Service is often used to supply functionality for other applications to use. Each service class must have a corresponding declaration in its manifest file

Read list


Using IPC - Binder and Messenger Interface

Read list


Dynamically Loading Code

Read list


Logging

Read list


Use Proguard

Read list


Security with HTTPS and SSL

Read list


Be aware of reverse engineering

Read list


Be aware of app licensing

Google Play offers a licensing service that lets you enforce licensing policies for applications that you publish on Google Play. With Google Play Licensing, your application can query Google Play at run time to obtain the licensing status for the current user, then allow or disallow further use as appropriate.

Read list


Written by avicoder on 02 October 2017
@avicoder