In your gradle file add
Add any related rules in proguard-project.txt
You can even try the paid alternative DexGuard.
2. Is it a real Device? : Are we running on a real device or is it a fancy emulator? If your use case restricts it from running on an emulator then restrict it.
3. Is it rooted? : Again depending on the use case. If you want to restrict it to run on non rooted devices you can. You can use your own checks or use this library — rootbeer
5. Secure the Network: Are you sending sensitive information in plain text. If yes, then you are doing it wrong. StrictMode check detectCleartextNetwork() is here for the rescue.
Detect any network traffic from the calling app which is not wrapped in SSL/TLS.
6. Insecure Local Storage: Shared Preferences — an XML file which is readable, SQLite Database — can be pulled out and read, external storage — 777, internal storage — rooted device, remember?
What can we do to counter these? Do not share anything critical here and if we are doing it. Let’s make it a little secure.
Shared Preference — No plain text, please. Can use something like Obscured Shared Preferences
SQLite — Substitute it with android-database-sqlcipher . Careful it can add considerable fat to the app.
Filesystem — Same drill. Do not save content you do not want other’s to access or modify. I have seen music streaming apps keep unencrypted files which you can just copy and move out.
7. Using ContentProvider: If you do not want to share your content provider make sure you have android: exported= “false” in your manifest and android:protectionLevel = “signature” in case you have to share it between your apps.
There is more to the topic we will be back in 102. Meanwhile, the documentation is pretty good, dig in.