June 29, 2020 By Cypress Data Defense In Technical
Frequent updates, complex backend, and feature-rich Android applications are released daily to major app stores. Yet, many apps become victims of cybersecurity attacks before they even get a chance to bloom.
Employees, stakeholders, and customers can use mobile apps, so there are various threat vectors, and maintaining the security of the mobile application and the backend services is imperative for businesses today. Some of the common mobile security exploits affecting Android apps are: Implementing application security starts with requirements and design and continues throughout the software development life cycle (SDLC). What are the security considerations for Android mobile applications? To help you ensure security in your Android application, here is an Android app security checklist to get you started with security considerations for designing, testing, and releasing secure Android apps. This mobile application security checklist can help you get started towards maintaining application security. Of course, you should have security experts conduct a more thorough review, as this app security checklist covers mainly the basics. Data storage security plays a crucial role in Android application security. You will store data on different devices, networks, or systems for all sorts of reasons, and this mobile app data could include sensitive information such as credit card info, user credentials, or much more. You should ensure your data is secure and encrypted to prevent loss. Consider using Android Keystore, which provides access to a secure location for storing sensitive data, such as cryptographic keys or user credentials. When a key is generated in the secure hardware, you can also specify access controls to protect its use. Additionally, ensure no sensitive information is displayed through the mobile app user interface or exposed via IPC (inter-process communication) mechanisms. Also, no sensitive information should be written in application logs or shared with third parties unless it is an essential part of the architecture and those interactions are tightly controlled. It is important that the mobile application uses standard components and platform APIs in a secure manner. For this, ensure the mobile application only requests the minimum permissions necessary. All inputs from the user and external sources must be validated and sanitized if necessary. This includes data received from the IPC mechanisms, such as network sources, custom URLs, or intents. Ensure the mobile application does not export critical features through IPC facilities or custom URL schemes unless they are properly protected. Check if WebViews are configured to allow only the minimum protocol handlers required. Potentially harmful handlers, such as app-id, tel, and file, should be disabled. Clear the WebView’s storage, loaded resources, and cache before it is destroyed. If the mobile application's native methods are exposed to WebView, it should only render JavaScript contained within the application’s package. Moreover, the implementation of object serialization by using secure safe serialization APIs also helps maintain secure platform interaction. Cryptography is an important aspect of securing the user’s data, especially in a mobile environment, where attackers may have physical access to the mobile device. Cryptography aims to maintain data authenticity, integrity, and confidentiality, even while facing an attack. Android developers should know the Java Cryptography Architecture (JCA) security providers that their software uses. They should consider using the highest level of the pre-existing app security framework that can support their application’s use case. Ensure the mobile application uses proven methods of cryptographic primitives (such as one-way hash functions, digital signatures) and does not depend solely on symmetric cryptography with hardcoded keys as the only encryption process. (Don’t use hardcoded keys!!!) Ensure the mobile application does not use cryptographic algorithms or protocols considered deprecated for security reasons. To maintain mobile app security, use different cryptographic keys for multiple purposes. Make sure keys are used for specific purposes, not a single key that encrypts everything. Use multiple keys to minimize the blast radius if a key is compromised. Furthermore, make sure that all random values are created using a secure random number generator. Using KeyStore, which offers a mechanism for the storage and retrieval of cryptographic keys, helps you store keys for repeated use without much hassle. No Android app security checklist is complete without authentication best practices. Authentication is the process of validating a user’s identity to determine whether or not they are who they claim to be. If the mobile application providers users with remote services, they should integrate an acceptable form of authentication, such as a username and password, at the remote endpoint. Create a strong password policy for your mobile application that involves stringent guidelines that users must follow. Have them use long passwords or passphrases that have not been previously compromised. Also, if a user submits incorrect authentication credentials more than a specific number of times, they should be temporarily blocked from further accessing the account or asked to provide more information to prove their identity. Authentication schemas can be complemented with passive contextual authentication, which includes IP address, geolocation, device being used, and time of day. Ideally, such an authentication system compares the user’s context to previously recorded data to detect anomalies that might indicate potential fraud or account abuse. Further, the mobile application should inform users of recent activities such as login attempts, transactions, etc. Use multi-factor authentication, which typically includes one-time passwords via time-based tokens or email on registered contact details, secure tokens, PINs, biometric authentication, and more to validate a user’s identity. Network security in Android apps is inherently risky, as it involves transmitting potentially personal data to the user (and back to the servers). Mobile users are increasingly becoming familiar with privacy and security concerns of mobile apps, especially if an Android app performs transactions across the network, so it’s essential that your mobile application implements all mobile app security best practices towards keeping the user’s data secure at all times. Data-in-transit should be secured, which means the sending/receiving and stored data inside your application should be secured with TLS or VPN tunnel communication. Having these certificates and processes integrated into your application’s network helps build a secure channel consistently throughout the mobile application. For instance, Transport Layer Security (TLS) helps encrypt data as it moves on the network. If the mobile operating system does not support TLS, the TLS settings should ideally follow best practices or be as close to the recommended standards as possible. Attacks that can be induced from input data over an IPC or network when using native code should be controlled properly by managing buffers and handling pointers. When a secure channel is established, the mobile application should verify the remote endpoint's X. 509 certificate. Only certificates signed by a trusted CA are accepted. Preferably, pin your certificates. No sensitive app data should be included in the backups generated by the mobile’s operating system. The Android app should not hold sensitive data in memory longer than required, and memory should be cleared explicitly after use. The Android app should enforce a minimum device-access-security policy, requiring the user to set a password. Access tokens and sessions should be invalidated at the remote endpoint once a user has logged out of the application or after a predefined period of time. In addition, the mobile app should not rely only on a single insecure communication channel (SMS or email) for sensitive operations, such as account recovery, sensitive transactions, or enrollments. The application should also be able to detect if it’s running on a rooted device. Depending on the business requirements, either the app should be terminated or the users should be warned if the device is rooted. The mobile application should notify users about all login activities via email or SMS, providing a list of devices used to access their account, the time and location from which the app was accessed, and an option to block specific devices. Maintaining mobile app security is highly recommended as the number of cyberattacks targeting mobile apps is continuously rising. This Android application security checklist will help you ensure that your application follows the best security practices and protect your users from becoming a cyberattack victim. It is important to be familiar with and follow the Android security best practices, as they reduce the possibility of introducing mobile app security issues that can potentially affect your users. To determine whether your Android app follows the best mobile app security practices, you can also contact Cypress Data Defense, and a mobile app security expert can help you analyze your existing application’s security posture.
Mobile App Security Checklist: What You Need to Do Before Launching Your Android App
#1. Protect Data Storage with Encryption and Use of the Keystore
#2. Secure Platform Interaction by Configuring WebViews
#3. Leverage Cryptography to Maintain Mobile App Security
#4. Implement Strong Authentication Controls
#5. Using TLS Certificates to Protect Data-in-Transit
Understanding Mobile App Defense In-Depth
Is Your App Ready to Launch?