pastenow
pastenow

Essential Android Security: Protecting Your App

<p>We&rsquo;ll begin our journey through Android apps security from a minimal setup. The app is already using HTTPS-only connections (or WSS in the case of WebSocket), and the backend is secure on its own.</p> <p><img alt="" src="https://miro.medium.com/v2/resize:fit:298/1*ee-YFHbGYF505sjt2ynP5w.png" style="height:93px; width:298px" /></p> <p>Basic initial setup</p> <p>What could go wrong?&nbsp;<em>Lots of things!</em></p> <p>First of all, be sure to check if&nbsp;<strong>dependencies do not use plain HTTP</strong>&nbsp;traffic. You can easily check this by analyzing the final APK produced in your release build, specifically inspecting the final AndroidManifest.xml. If any library requires the use of plain HTTP, you&rsquo;ll notice something like the following code snippet:</p> <pre> &lt;application android:usesCleartextTraffic=&quot;true&quot;&gt; &lt;!-- ... --&gt; &lt;/application&gt; &lt;!-- Or also... --&gt; &lt;application android:networkSecurityConfig=&quot;@xml/network_security_config&quot;&gt; &lt;!-- ... --&gt; &lt;/application&gt;</pre> <p>In the case of a&nbsp;<em>networkSecurityConfig</em>, you should check out that specific configuration file too, but that&rsquo;s the idea. As a general rule, do not trust library code and always double-check the final APK.</p> <p>Also, you may want to use other tools such as&nbsp;<a href="https://mobsf.live/" rel="noopener ugc nofollow" target="_blank">MobSF</a>, but let&rsquo;s go on!</p> <h1>Basic Level: Code Obfuscation and Play Signing</h1> <p>Besides advantages we already should know about using tools as R8 and ProGuard, such as performance improvements and app size reduction given by tree shaking (and not only!), we mainly focus on security aspects.</p> <p>Code Obfuscation makes it harder for adversaries to understand and then modify the app&rsquo;s code, releasing modified versions of the app, maybe skipping client-side feature limitations. We won&rsquo;t ever reach a point where it cannot happen, but it&rsquo;s our interest to make it as hard as possible.</p> <p>Finally, Play Signing protects us against Keystore leaks, in places such as a GitHub repository or on insecure storage, also with a weak password. Considering how this is a growing trend, it&rsquo;s as important as ever to adopt all the countermeasures.</p> <p><a href="https://blog.safetorun.com/essential-android-security-protecting-your-app-3f47cd89ea9e">Visit Now</a></p>
Tags: Android Jetpack