Let’s try to understand how we can make changes to our code and make it more secure.
- Use Podgaurd :I reverse apps, to see how they implemented some feature or what libraries they are using or how they are structuring the code. Nothing sinister. Lot of good folks don’t use progaurd. Bless them. Question is, Why make it easy for someone who is after your app? Obfuscate it. Plus don’t forget the added advantage of reduced app size.
In your gradle file add
android {
...
buildTypes {
release {
minifyEnabled true
proguardFiles getDefaultProguardFile('proguard-android.txt'),
'proguard-project.txt'
}
}
}Add any related rules in proguard-project.txt
-keep class com.android.vending.licensing.ILicensingService
You can even try the paid alternative DexGuard.
2. Is it a real Device? : Are we running on a real device or is it a fancy emulator? If your use case restricts it from running on an emulator then restrict it.
public static boolean isEmulator() {
return Build.FINGERPRINT.startsWith(“generic”)
|| Build.FINGERPRINT.startsWith(“unknown”)
|| Build.MODEL.contains(“google_sdk”)
|| Build.MODEL.contains(“Emulator”)
|| Build.MODEL.contains(“Android SDK built for x86”)
|| Build.MANUFACTURER.contains(“Genymotion”)
|| (Build.BRAND.startsWith(“generic”)
&& Build.DEVICE.startsWith(“generic”))
|| “google_sdk”.equals(Build.PRODUCT);
}
— Gist3. Is it rooted? : Again depending on the use case. If you want to restrict it to run on non rooted devices you can. You can use your own checks or use this library — rootbeer
RootBeer rootBeer = new RootBeer(context);
if(rootBeer.isRooted()){
//we found indication of root
}else{
//we didn't find indication of root
}
4. Mighty Webview: Disable the javascript support if you don’t need. You do not want the Pandora’s box to be opened. Remember the warning you get “Using setJavaScriptEnabled can introduce XSS vulnerabilities ..”.
webSettings.setJavaScriptEnabled(false);
5. Secure the Network: Are you sending sensitive information in plain text. If yes, then you are doing it wrong. StrictMode check detectCleartextNetwork() is here for the rescue.
detectCleartextNetwork()
Detect any network traffic from the calling app which is not wrapped in SSL/TLS.
6. Insecure Local Storage : Shared Preferences — xml file which is readable , Sqlite Database — can be pulled out and read, external storage — 777, internal storage — rooted device, remember?
What can we do to counter these? Do not share anything critical here and if we are doing it. Let’s make it a little secure.
Shared Preference — No plain text please. Can use something like Obscured Shared Preferences
Sqlite — Substitute it with android-database-sqlcipher . Careful it can add considerable fat to the app.
Filesystem — Same drill. Do not save content you do not want other’s to access or modify. I have seen music streaming apps keep unencrypted files which you can just copy and move out.
7. Using ContentProvider : If you do not want to share your content provider make sure you have android:exported=”false”in your manifest and android:protectionLevel = “signature” in case you have to share it between your apps.
There is more to the topic we will be back in 102. Meanwhile the documentation is pretty good, dig in.
