Let’s try to understand how we can make changes to our code and make it more secure.
- Use Podgaurd: I reverse apps, to see how they implemented some feature or what libraries they are using or how they are structuring the code. Nothing sinister. A lot of good folks don’t use ProGuard. Bless them. Question is, Why make it easy for someone who is after your app? Obfuscate it. Plus don’t forget the added advantage of reduced app size.
In your gradle file add
Add any related rules in proguard-project.txt
You can even try the paid alternative DexGuard.
2. Is it a real Device? : Are we running on a real device or is it a fancy emulator? If your use case restricts it from running on an emulator then restrict it.
5. Secure the Network: Are you sending sensitive information in plain text. If yes, then you are doing it wrong. StrictMode check detectCleartextNetwork() is here for the rescue.
Detect any network traffic from the calling app which is not wrapped in SSL/TLS.
6. Insecure Local Storage: Shared Preferences — an XML file which is readable, SQLite Database — can be pulled out and read, external storage — 777, internal storage — rooted device, remember?
What can we do to counter these? Do not share anything critical here and if we are doing it. Let’s make it a little secure.
Shared Preference — No plain text, please. Can use something like Obscured Shared Preferences
SQLite — Substitute it with android-database-sqlcipher . Careful it can add considerable fat to the app.
Filesystem — Same drill. Do not save content you do not want other’s to access or modify. I have seen music streaming apps keep unencrypted files which you can just copy and move out.
7. Using ContentProvider: If you do not want to share your content provider make sure you have android: exported= “false” in your manifest and android:protectionLevel = “signature” in case you have to share it between your apps.
There is more to the topic we will be back in 102. Meanwhile, the documentation is pretty good, dig in.