June 29, 2020 By Cypress Data Defense In Technical
Frequent updates, complex backend, and feature-rich Android applications are released to major app stores every day. Yet, many apps become victims of cybersecurity attacks before they even get a chance to bloom.
Mobile apps can be used by employees, stakeholders, and customers, so there are various threat vectors and maintaining the security of the mobile application and the backend services is imperative for businesses today. Some of the common mobile security exploits affecting Android apps are: Implementing application security starts right from the beginning with requirements, design, and throughout the software development life cycle (SDLC). What are the security considerations for Android mobile applications? To help you ensure security in your Android application, here is an Android app security checklist to get you started with security considerations for designing, testing, and releasing secure Android apps. This mobile application security checklist can help you get started towards maintaining application security. Of course, you should have security experts conduct a more thorough review as this app security checklist covers mainly the basics. Data storage security plays a crucial role in Android application security. You will store data on different devices, networks, or systems for all sorts of reasons, and this mobile app data could include sensitive information such as credit card info, user credentials, or much more. You should ensure that the data you are storing is secure and encrypted to prevent data loss. Consider using Android Keystore which provides access to a secure location for storing sensitive data, such as cryptographic keys or user credentials. When a key is generated in the secure hardware, you can also specify access controls to protect use of the key. Additionally, make sure that no sensitive information is displayed through the mobile app user interface or exposed via IPC (inter-process communication) mechanisms. Also, no sensitive information should be written to application logs or shared with third parties unless it is an essential part of the architecture and those interactions are tightly controlled. It is important that the mobile application uses standard components and platform APIs in a secure manner. For this, ensure the mobile application only requests the minimum set of permissions necessary. All inputs from the user and external sources must be validated and sanitized if necessary. This includes data received from the IPC mechanisms such as network sources, custom URLs, or intents. Ensure the mobile application does not export critical features through IPC facilities or custom URL schemes unless they are properly protected. Check if WebViews are configured to allow only the minimum set of protocol handlers required. Potentially harmful handlers, such as app-id, tel, and file, should be disabled. Make sure the WebView’s storage, loaded resources, and cache should be cleared before the WebView is destroyed. If native methods of the mobile application are exposed to WebView, it should only render JavaScript contained within the application’s package. Moreover, the implementation of object serialization by using secure safe serialization APIs also helps maintain secure platform interaction. Cryptography is an important aspect of securing the user’s data, especially in a mobile environment, where attackers may have physical access to the mobile device. The purpose of using cryptography is to maintain data authenticity, integrity, and confidentiality, even while facing an attack. Android developers should be aware of the Java Cryptography Architecture (JCA) security providers their software uses. They should consider using the highest level of the pre-existing app security framework that can support their application’s use case. Ensure the mobile application uses proven methods of cryptographic primitives (such as one-way hash functions, digital signatures) and does not depend solely on symmetric cryptography with hardcoded keys as the only encryption process. (Don’t use hardcoded keys!!!) Make sure the mobile application does not use cryptographic algorithms or protocols that are considered deprecated for security reasons. Use different cryptographic keys for multiple purposes to maintain mobile app security. Make sure keys are used for specific purposes and not a single key that encrypts everything. Use multiple keys to minimize the blast radius if a key is compromised. Furthermore, make sure that all random values are created using a secure random number generator. Using KeyStore, which offers a mechanism for storage and retrieval of cryptographic keys, helps you store keys for repeated use without much hassle. No Android app security checklist is complete without authentication best practices. Authentication is the process of validating a user’s identity to determine whether or not they are who they claim to be. If the mobile application providers users with remote services integrate an acceptable form of authentication such as username and password at the remote endpoint. Create a strong password policy for your mobile application that involves stringent guidelines that users must follow. Have them use long passwords or passphrases that have not been previously compromised. Also, if a user submits incorrect authentication credentials more than a specific number of times, they should be temporarily blocked from further accessing the account or asked to provide more information to prove their identity. Authentication schemas can be complemented with passive contextual authentication including IP address, geolocation, device being used, and time of day. Ideally, in such an authentication system, the user’s context is compared to previously recorded data to detect anomalies that might indicate potential fraud or account abuse. Further, the mobile application should also inform the user of recent activities such as login attempts, transactions, etc. Use multi-factor authentication which typically includes one-time passwords via time-based tokens or email on registered contact details, secure tokens, PINs, biometric authentication, and more to validate a user’s identity. Network security in Android apps is inherently risky, as it involves transmitting data that is potentially personal to the user (and back to the servers). Mobile users are increasingly becoming familiar with privacy and security concerns of mobile apps, especially if an Android app performs transactions across the network, so it’s essential that your mobile application implements all mobile app security best practices towards keeping the user’s data secure at all times. Data-in-transit should be secured, which means the sending/receiving and stored data inside your application should be secured with TLS or VPN tunnel communication. Having these certificates and processes integrated into your application’s network helps build a secure channel consistently throughout the mobile application. For instance, a transport layer security (TLS) helps encrypt data as it moves on the network. The TLS settings should ideally follow best practices, or as close to the recommended standards as possible if the mobile operating system does not support the standard practices. Attacks that can be induced from input data over an IPC or network when using native code should be controlled properly by managing buffers and handling the pointers. When a secure channel is established, the mobile application should verify the X.509 certificate of the remote endpoint. Only certificates signed by a trusted CA are accepted. Preferably, pin your certificates. No sensitive app data should be included in the backups generated by the mobile’s operating system. Also, the Android app should not hold any sensitive data in memory longer than required, and memory should be clearly explicitly after use. The Android app should enforce a minimum device-access-security policy, which requires the user to set a device password. Access tokens and sessions should be invalidated at the remote endpoint once a user has logged out of the application or after a predefined period of time. In addition to this, the mobile app should not rely only on a single insecure communication channel (SMS or email) for sensitive operations, such as account recovery, sensitive transactions, or enrollments. The application should also be able to detect if it’s running on a rooted device and depending on the business requirements, either the app should be terminated or the users should be warned if the device is rooted. The mobile application should notify users about all login activities via email or SMS providing them a list of devices used to access their account, the time and location from where the app was accessed, and give an option to block specific devices. Maintaining mobile app security is highly recommended as the number of cyberattacks targeting mobile apps is continuously on the rise. This Android application security checklist will help you ensure that your application follows the best security practices and protect your users from becoming a victim of a cyberattack. It is important to be familiar with the Android security best practices and follow them as they reduce the possibility of introducing mobile app security issues that can conceivably affect your users. To determine whether your Android app follows the best mobile app security practices, you can also reach out to Cypress Data Defense and a mobile app security expert can help you analyze your existing application’s security posture.
Mobile App Security Checklist: What You Need to Do Before Launching Your Android App
#1. Protect Data Storage with Encryption and Use of the Keystore
#2. Secure Platform Interaction by Configuring WebViews
#3. Leverage Cryptography to Maintain Mobile App Security
#4. Implement Strong Authentication Controls
#5. Using TLS Certificates to Protect Data-in-Transit
Understanding Mobile App Defense In-Depth
Is Your App Ready to Launch?