How to develop a secure Android Application

The Android operating system has lots of built-in security features, such as application sand boxing, protection against buffer and integer overflow attacks, and segregated memory areas for program instructions and data. As a result, simple Android apps that don't perform any file system or networking operations can often be considered secure by default. If you are developing a more complex app, however, it is your responsibility to make it secure and protect the privacy of your users. In this blog, I'm going to list some of the best practices you should follow to build a secure Android app that doesn't leak data or permissions, and is, in general, less vulnerable to malicious apps that might be installed on the user's device.

1. Use Internal Storage for Sensitive Data

Every Android app has an internal storage directory associated with it. Files inside this directory are very secure because they use the MODE_PRIVATE file creation mode by default. This means the files cannot be accessed by any other app on the device. Therefore, it is a best place to store all the sensitive data of your app in the internal storage directory.

To determine the absolute path of your app's internal storage directory, it is recommended that you use the getFilesDir() method. Once you know its path, referencing files inside it is as simple as referencing files inside any other directory.

For example, here's how you could reference a file called myfile.dat in the  internal storage directory of your app:

File myFile = new File(getFilesDir(), "myfile.dat");

2. Encrypt Data on External Storage

The internal storage capacity of an Android device is often limited. Therefore, at times, you might have no choice but to store sensitive data on external storage media, such as a removable SD card.

Because data on external storage media can be directly accessed by both users and other apps on the device, it is important that you store it in an encrypted format. One of the most popular encryption algorithms used by developers today is AES(Advanced Encryption Standard) with a key size of 256 bits.

Writing code to encrypt and decrypt your app's data using the javax.crypto package, which is included in the Android SDK, can be confusing. Therefore, most developers prefer using third party libraries, such as Facebook's Conceal library, which are usually much easier to work with.

3. Validate User Input

On Android, invalid user input doesn't usually lead to security issues like buffer overruns. However, if you allow users to interact with a SQLite database or a content provider that internally uses a SQLite database, you must either rigorously sanitise user input or make use of parameterized queries. Failing to do so makes your data vulnerable to SQL injection attacks.

4. Avoid Asking for Personal Data

User privacy is given a lot of importance these days. Therefore, unless you have a good reason and a very secure infrastructure to collect, store, and transmit personal user information, you must avoid directly asking for it in your apps.

A better approach to user authentication and user profile information look up on Android is through the Google Identity Platform. Google Identity Platform allows users to quickly sign in to your app using their Google account. After a successful sign in through the platform, whenever necessary, your app can easily look up various details about the user, such as the user's name, email address, profile photo, contacts, and more. Alternatively, you could use free services like Firebase that can manage user authentication for you.

If you must handle user credentials yourself, it is recommended that you store and transmit them in the form of secure hashes. The most straightforward way to generate different types of hashes using the Android SDK is by using the MessageDigest class.

Linux : Manage Users

Creating(new user) or deleting existing users from your Linux system is very simple. All you need to do is to login into your system with Administration rights. And follow the below steps...

1. Go to Settings(by clicking the setting icon placed at top-right side of your system).

2. Select “System Settings”.

3. Now Click “User Account”

4. Since the '+' and '-' buttons are disabled initially, so it’s not possible to Add or Remove the users at this stage. In order to do that, we need to unlock the access rights. We can unlock it bu just clicking upon the Unlock button situated at the Top-Right side of this screen.

5. Enter your Admin password.

6. Now you can see the ‘+’ and ‘-’ button has been enabled. Use ‘+’ for adding a new user and ‘-’ for removing an existing user from your system. But before removing a user, make sure that User is selected.

Let’s Add a New User first.

Well, for that, I need to click upon that ‘+’ button. The moment you click the button, you will get the following screen....

The drop down menu here(at the top) is for selecting the user type(Standard or Administrator). Next field asks for the Full Name of the user. The last field(i.e username) will be auto filled.

Now Click the Add button. It will ask for your password once again. Provide your admin password and You are done!!

You can delete the user anytime by clicking the '-' button. 

In the above screen, you can select your option and the selected user will be deleted from your system.

Have a Good Day!! Enjoy..........

Common Development Mistakes

Now a days, development environments are “smart” enough to catch and fix many mistakes that early developers battled with regularly. There are even many different development platforms that easily turn simple static HTML pages into highly interactive applications. The purpose of this blog post is to shed light on some of the common mistakes made in different stages of the web development process. I have touched on a few general topics that are common to virtually all web developers.

#1: Incomplete input validation

Validating user input on client and server side is simply a must do! We are all aware of the sage advice“do not trust user input” but, nevertheless, mistakes stemming from validation happen all too often.

One of the most common consequences of this mistake is SQL Injection.

Most front-end development frameworks provide out-of-the-box validation rules that are incredibly simple to use. Additionally, most major back-end development platforms use simple annotations to assure that submitted data are adhering to expected rules. Implementing validation might be time consuming, but it should be part of your standard coding practice and never set aside.

#2: Authentication without proper Authorization

Before we proceed, let’s make sure we are aligned on these two terms.

Authentication: Verifying that a person is (or at least appears to be) a specific user, since he/she has correctly provided their security credentials (password, answers to security questions, fingerprint scan, etc.).

Authorization: Confirming that a particular user has access to a specific resource or is granted permission to perform a particular action.

Stated another way, authentication is knowing who an entity is, while authorization is knowing what a given entity can do.

Let me demonstrate this issue with an example:

Consider that your browser holds currently logged user information in an object similar to the following:

{

    username:'elvis',
    role:'singer',
    token:'123456789'

}

When doing a password change, your application makes the POST:

POST /changepassword/:username/:newpassword

In your/changepasswordmethod, you verify that user is logged and token has not expired. Then you find the user profile based on the :usernameparameter, and you change your user’s password.

So, you validated that your user is properly logged-in, and then you executed his request thus changing his password. Process seems OK, right? Unfortunately, the answer is NO!

At this point it is important to verify that the user executing the action and the user whose password is changed are the same. Any information stored on the browser can be tampered with, and any advanced user could easily updateusername:'elvis'tousername:'Administrator'without using anything else but built-in browser tools.

So in this case, we just took care ofAuthenticationmaking sure that the user provided security credentials. We can even add validation that/changepasswordmethod can only be executed byAuthenticatedusers. However, this is still not enough to protect your users from malicious attempts.

You need to make sure that you verify actual requester and content of request within your/changepasswordmethod and implement properAuthorizationof the request making sure that user can change only her data.

AuthenticationandAuthorizationare two sides of the same coin. Never treat them separately.

#3: Not optimising bandwidth usage

Most development and testing takes place in a local network environment. So when you are downloading 5 background images each being 3 MB or more, you might not identify an issue with 1 Gbit connection speed in your development environment. But when your users start loading a 15 MB home page over 3G connections on their smartphones, you should prepare yourself for a list of complaint sand problems.

Optimising your bandwidth usage could give you a great performance boost, and to gain this boost you probably only need a couple of tricks. There are few things that many good web developers do by default, including:

1. Magnification of all JavaScript
2. Magnification of all CSS
3. Server side HTTP compression
4. Optimisation of image size and resolution