android secure coding
TRANSCRIPT
© Blueinfy Solutions
Secure Coding For Android Applications
© Blueinfy Solutions
Local Storage - Example
• Remember me option – NOT SECURE WAY
© Blueinfy Solutions
Token stored
• On local file – NOT SECURE WAY
© Blueinfy Solutions
Shared Preferences• SHARED PREFERENCE – NOT SECURE WAY
© Blueinfy Solutions
Writing to file
• When opening file for writing, make sure to open it in private mode as shown below –
String FILENAME = “temp";String string = “token”;
FileOutputStream fos = openFileOutput(FILENAME, Context.MODE_PRIVATE);
fos.write(string.getBytes());fos.close();
© Blueinfy Solutions
Local Storage – Secure Method
• Encrypt the data using strong encryption, possibly AES
• Do not decrypt the data at client side• Send Encrypted Data to the server• Server decrypts the data before validating it
© Blueinfy Solutions
Securing Secrets
• AES encryption to store secret information and making secure storage.
• APIs and Libs for it.• Random cookies and keys.• Not to open and shared storage.• Cache and File writing is not enough.• Design level strategy for it.
© Blueinfy Solutions
Secure Method – Sample Code
© Blueinfy Solutions
Sending Encrypted in JSON
© Blueinfy Solutions
Secure
© Blueinfy Solutions
Cache with WebView
• By default, webView control caches all request and response
• Some of the filenames are – – webviewCache.db– webview.db-shm– webview.db-wal– webviewCookiesChromium.db– webviewCookiesChromiumPrivate.db– imagecache.db
© Blueinfy Solutions
Sample code to clear the cache
© Blueinfy Solutions
SSL Implementation
• Application sends request to server over SSL (Secure Way)
• Most application fails to handle SSL certificate validation error on the client side
• Only certificate from the OWNER server and sub-domain should be allowed
© Blueinfy Solutions
Verify SSL Server – Sample Code
© Blueinfy Solutions
Copy/Paste in the text fields
• Services are shared between all the applications
• Attacker can write malicious program to monitor clipboard to get access to sensitive data if copy/paste is not disabled
• Copy/Paste must be disabled on the sensitive fields
© Blueinfy Solutions
Screenshot in temporary files
• Pressing HOME button takes screenshot of the last screen and saves it in local storage
• To disable this, manifest file needs to be updated under Activity Tag
© Blueinfy Solutions
Protecting IP
• Unlike iOS, there is no encryption supported by android platform
• Possible to Decompile binary and get access to source code
• “ProGuard” can be leveraged to protect against Decompile
© Blueinfy Solutions
Code Analysis with AppCodeScan
• Semi automated tool• Ability to expand with custom rules• Simple tracing utility to verify and track
vulnerabilities• Simple HTML reporting which can be
converted to PDF
© Blueinfy Solutions
Sample Rules - Android
© Blueinfy Solutions
Conclusion