How secure your Android app — 2022
1. Obfuscate your code
To make your app as small as possible, you should enable shrinking in your release build to remove unused code and resources. When enabling shrinking, you also benefit from obfuscation, which shortens the names of your app’s classes and members, and optimization,
2. Do not hardcode keys
Even when you have obfuscated your code, it’s never a good idea to hardcode a key inside your app, since a good hacker could understand the purpose of the key and use it consequently.
3. Pin your certificates
Don’t release an app if it relies on cleartext traffic! An attacker could be round the corner and, when under some conditions, he could intercept the traffic generated by a user, including credentials and other sensitive data (e.g. credit card number).
Be sure that you’re using safe HTTPS connections and your Network Security Config file is properly configured, in compliance with the Android documentation.
4. Root detection is your friend
When you’re releasing your application to the world, you’re sending your little child to the school on feet. Your little village could be safe, but you know that we all live in a potentially hostile environment.
To root a phone is a matter of freedom, but it paves the way to malwares and data stealing. There are famous libraries for root detections like RootBeer. When the application is launched, ensure to warn the final user about using a rooted environment. If your application is really critical (banking application) consider stopping the execution.
Yeah, it’s true, root detection can be bypassed, but it will be better than nothing.
5. Encrypt shared preferences and application data
You cannot rely on the Android OS to protect your app data. You must be proactive. Don’t save plaintext session tokens, keys and credentials in Shared Prefs, since a 0-day vulnerability could still extract them. Furthermore, the phone could be rooted and you are exposing users’ accounts to data stealing!When you’re in doubt, better use Encrypted Shared Prefs.
Be sure to encrypt data saved in SQLite databases, too.
6. External Storages
Remember that a mobile phone is, by nature…”mobile”.
You may lose it during your daily train trip, you can forget when you’re leaving KFC after a meal. While the internal storage of your phone could be encrypted, a malicious actor could still extract the SD card and read all the data saved by your application.
Don’t save user’s data to an external storage!
7. Manifest and Signature
There are some flags in your AndroidManifest.xml file which can give a little help in hardening your application. Let’s see them :)
usesClearTextTraffic, it’s by default set to True for apps targeting API level 27 or below. It allows your application to use cleartext protocols like HTTP. Define it in your AndroidManifest and set it to False. Note that this is a best-effort flag!
allowBackup, consider defining it and setting it to False (if your app targets API Level < 30), since it could expose users to data stealing
9. Pay attention to the clipboard!
Copy, cut, paste. Everybody uses them, but be aware that what the user copies to the clipboard can be read by other applications, including malicious ones. So, disable copy/paste on sensitive fields (e.g. credit card numbers)!
10. Screenshots/Screen Mirroring/Sharing/Casting
Every now and then we send screenshots to our friends. This apparently unharmed operation hides a dangerous background. When you are taking a snapshot of your screen, the picture is saved into your gallery and is available to other applications (even though a permission is needed).
So, what happens if the user takes a screenshot of fields containing information about the credit card?
Exactly! The screenshot will be readable from other applications, even evil ones if they are present.
You can prevent a user from taking a screenshot by using the FLAG_SECURE.
11. Detect Unsecured WIFI/Network
An unsecured network most often refers to a free Wi-Fi (wireless) network, like at a coffeehouse or retail store. It means there’s no special login or screening process to get on the network, which means you and anyone else can use it.
