Android secure coding

Download as PPT, PDF

2 likes1,291 views

The document discusses various secure coding practices for Android applications. It covers secure ways to handle local storage such as encrypting data before storing and not decrypting at the client side. It also discusses securing secrets with AES encryption and not relying on shared storage. The document provides code samples for sending encrypted data in JSON, verifying SSL certificates, disabling copy/paste and screenshots. It suggests using ProGuard to protect against decompiling code and analyzing code for vulnerabilities.

Software

© Blueinfy Solutions
Secure Coding For Android
Applications

© Blueinfy Solutions
Local Storage - Example
• Remember me option – NOT SECURE WAY

© Blueinfy Solutions
Token stored
• On local file – NOT SECURE WAY

© Blueinfy Solutions
Shared Preferences
• SHARED PREFERENCE – NOT SECURE WAY

© Blueinfy Solutions
Writing to file
• When opening file for writing, make sure to
open it in private mode as shown below –
String FILENAME = “temp";
String string = “token”;
FileOutputStream fos = openFileOutput(FILENAME,
Context.MODE_PRIVATE);
fos.write(string.getBytes());
fos.close();

© Blueinfy Solutions
Local Storage – Secure Method
• Encrypt the data using strong encryption,
possibly AES
• Do not decrypt the data at client side
• Send Encrypted Data to the server
• Server decrypts the data before validating it

© Blueinfy Solutions
Securing Secrets
• AES encryption to store secret information
and making secure storage.
• APIs and Libs for it.
• Random cookies and keys.
• Not to open and shared storage.
• Cache and File writing is not enough.
• Design level strategy for it.

© Blueinfy Solutions
Secure Method – Sample Code

© Blueinfy Solutions
Sending Encrypted in JSON

© Blueinfy Solutions
Cache with WebView
• By default, webView control caches all
request and response
• Some of the filenames are –
– webviewCache.db
– webview.db-shm
– webview.db-wal
– webviewCookiesChromium.db
– webviewCookiesChromiumPrivate.db
– imagecache.db

© Blueinfy Solutions
Sample code to clear the cache

© Blueinfy Solutions
SSL Implementation
• Application sends request to server over SSL
(Secure Way)
• Most application fails to handle SSL certificate
validation error on the client side
• Only certificate from the OWNER server and
sub-domain should be allowed

© Blueinfy Solutions
Verify SSL Server – Sample Code

© Blueinfy Solutions
Copy/Paste in the text fields
• Services are shared between all the
applications
• Attacker can write malicious program to
monitor clipboard to get access to sensitive
data if copy/paste is not disabled
• Copy/Paste must be disabled on the sensitive
fields

© Blueinfy Solutions
Screenshot in temporary files
• Pressing HOME button takes screenshot of the
last screen and saves it in local storage
• To disable this, manifest file needs to be
updated under Activity Tag

© Blueinfy Solutions
Protecting IP
• Unlike iOS, there is no encryption supported
by android platform
• Possible to Decompile binary and get access to
source code
• “ProGuard” can be leveraged to protect
against Decompile

© Blueinfy Solutions
Code Analysis with AppCodeScan
• Semi automated tool
• Ability to expand with custom rules
• Simple tracing utility to verify and track
vulnerabilities
• Simple HTML reporting which can be
converted to PDF

© Blueinfy Solutions
Sample Rules - Android

More Related Content

What's hot (20)

PDF

Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsSam Bowne

PDF

CNIT 129S - Ch 3: Web Application TechnologiesSam Bowne

PDF

CNIT 129S: Securing Web Applications Ch 1-2Sam Bowne

PDF

CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne

PPTX

Using & Abusing APIs: An Examination of the API Attack SurfaceCA API Management

PPTX

Api security teodorcotruta

PDF

CNIT 129: 6. Attacking AuthenticationSam Bowne

PDF

Protecting Your APIs Against Attack & Hijack CA API Management

PDF

CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)Sam Bowne

PDF

Security vulnerabilities decompositionKaty Anton

PPTX

Deep thoughts from the real world of azureMichele Leroux Bustamante

PDF

CNIT 129S: Ch 5: Bypassing Client-Side ControlsSam Bowne

PDF

CNIT 129S: Ch 6: Attacking AuthenticationSam Bowne

PDF

CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)Sam Bowne

PDF

CNIT 129S: Ch 4: Mapping the ApplicationSam Bowne

PDF

CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)Sam Bowne

PPTX

Core defense mechanisms against security attacks on web applicationsKaran Nagrecha

PDF

CNIT 129S: 8: Attacking Access ControlsSam Bowne

PDF

CNIT 129S - Ch 6a: Attacking AuthenticationSam Bowne

PPTX

Design Practices for a Secure Azure SolutionMichele Leroux Bustamante

Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsSam Bowne

CNIT 129S - Ch 3: Web Application TechnologiesSam Bowne

CNIT 129S: Securing Web Applications Ch 1-2Sam Bowne

CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne

Using & Abusing APIs: An Examination of the API Attack SurfaceCA API Management

Api security teodorcotruta

CNIT 129: 6. Attacking AuthenticationSam Bowne

Protecting Your APIs Against Attack & Hijack CA API Management

CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)Sam Bowne

Security vulnerabilities decompositionKaty Anton

Deep thoughts from the real world of azureMichele Leroux Bustamante

CNIT 129S: Ch 5: Bypassing Client-Side ControlsSam Bowne

CNIT 129S: Ch 6: Attacking AuthenticationSam Bowne

CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)Sam Bowne

CNIT 129S: Ch 4: Mapping the ApplicationSam Bowne

CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)Sam Bowne

Core defense mechanisms against security attacks on web applicationsKaran Nagrecha

CNIT 129S: 8: Attacking Access ControlsSam Bowne

CNIT 129S - Ch 6a: Attacking AuthenticationSam Bowne

Design Practices for a Secure Azure SolutionMichele Leroux Bustamante

Similar to Android secure coding (20)

PPTX

Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham

PPTX

Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...Beau Bullock

PDF

Pentesting Mobile Applications (Prashant Verma)ClubHack

PDF

Evaluating iOS Applicationsiphonepentest

PPTX

iOS application (in)securityiphonepentest

PPTX

Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)Codit

PPTX

ITProceed 2015 - Securing Sensitive Data with Azure Key VaultTom Kerkhove

PDF

9 Writing Secure Android ApplicationsSam Bowne

PPTX

Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Qualcomm Developer Network

PPTX

Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham

PPSX

Arcanum - Client side encryption based file storage service.Yashin Mehaboobe

PPTX

Application security meetup - cloud security best practices 24062021lior mazor

PPTX

What Does a Full Featured Security Strategy Look Like?Precisely

PPTX

Securing private keysAhsan Habib

PDF

Zero Knowledge - End-to-end encryption in the browser with OpenPGP.jsDane Schneider

PPTX

Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptxNeo4j

PPT

iOS Application Pentestingn|u - The Open Security Community

PPTX

Going outside the applicationMatthew Saltzman

PDF

Information Security Whitepaperrun_frictionless

PDF

Securing .NET Core, ASP.NET Core applicationsNETUserGroupBern

Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham

Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...Beau Bullock

Pentesting Mobile Applications (Prashant Verma)ClubHack

Evaluating iOS Applicationsiphonepentest

iOS application (in)securityiphonepentest

Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)Codit

ITProceed 2015 - Securing Sensitive Data with Azure Key VaultTom Kerkhove

9 Writing Secure Android ApplicationsSam Bowne

Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Qualcomm Developer Network

Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham

Arcanum - Client side encryption based file storage service.Yashin Mehaboobe

Application security meetup - cloud security best practices 24062021lior mazor

What Does a Full Featured Security Strategy Look Like?Precisely

Securing private keysAhsan Habib

Zero Knowledge - End-to-end encryption in the browser with OpenPGP.jsDane Schneider

Encrypting and Protecting Your Data in Neo4j(Jeff_Tallman).pptxNeo4j

iOS Application Pentestingn|u - The Open Security Community

Going outside the applicationMatthew Saltzman

Information Security Whitepaperrun_frictionless

Securing .NET Core, ASP.NET Core applicationsNETUserGroupBern

Recently uploaded (20)

PDF

Unlock Efficiency with Insurance Policy Administration SystemsInsurance Tech Services

PPTX

Transforming Mining & Engineering Operations with Odoo ERP | Streamline Proje...SatishKumar2651

PDF

HiHelloHR – Simplify HR Operations for Modern WorkplacesHiHelloHR

PDF

Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pdfVarsha Nayak

PDF

The 5 Reasons for IT Maintenance - Arna SoftechArna Softech

PDF

유니티에서 Burst Compiler+ThreadedJobs+SIMD 적용사례Seongdae Kim

PPTX

Tally_Basic_Operations_Presentation.pptxAditiBansal54083

PDF

Understanding the Need for Systemic Change in Open Source Through Intersectio...Imma Valls Bernaus

PDF

Digger Solo: Semantic search and maps for your local filesseanpedersen96

PDF

GetOnCRM Speeds Up Agentforce 3 Deployment for Enterprise AI Wins.pdfGetOnCRM Solutions

PDF

Revenue streams of the Wazirx clone script.pdfaaronjeffray

PPTX

Empowering Asian Contributions: The Rise of Regional User Groups in Open Sour...Shane Coughlan

PDF

Odoo CRM vs Zoho CRM: Honest Comparison 2025 Odiware Technologies Private Limited

PDF

Powering GIS with FME and VertiGIS - Peak of Data & AI 2025Safe Software

PDF

Build It, Buy It, or Already Got It? Make Smarter Martech Decisionsbbedford2

PDF

Automate Cybersecurity Tasks with PythonVICTOR MAESTRE RAMIREZ

PDF

Open Chain Q2 Steering Committee Meeting - 2025-06-25Shane Coughlan

PDF

MiniTool Partition Wizard 12.8 Crack License Key LATESThashhshs786

PDF

Alexander Marshalov - How to use AI Assistants with your Monitoring system Q2...VictoriaMetrics

PPTX

Hardware(Central Processing Unit ) CU and ALURizwanaKalsoom2

Unlock Efficiency with Insurance Policy Administration SystemsInsurance Tech Services

Transforming Mining & Engineering Operations with Odoo ERP | Streamline Proje...SatishKumar2651

HiHelloHR – Simplify HR Operations for Modern WorkplacesHiHelloHR

Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pdfVarsha Nayak

The 5 Reasons for IT Maintenance - Arna SoftechArna Softech

유니티에서 Burst Compiler+ThreadedJobs+SIMD 적용사례Seongdae Kim

Tally_Basic_Operations_Presentation.pptxAditiBansal54083

Understanding the Need for Systemic Change in Open Source Through Intersectio...Imma Valls Bernaus

Digger Solo: Semantic search and maps for your local filesseanpedersen96

GetOnCRM Speeds Up Agentforce 3 Deployment for Enterprise AI Wins.pdfGetOnCRM Solutions

Revenue streams of the Wazirx clone script.pdfaaronjeffray

Empowering Asian Contributions: The Rise of Regional User Groups in Open Sour...Shane Coughlan

Odoo CRM vs Zoho CRM: Honest Comparison 2025 Odiware Technologies Private Limited

Powering GIS with FME and VertiGIS - Peak of Data & AI 2025Safe Software

Build It, Buy It, or Already Got It? Make Smarter Martech Decisionsbbedford2

Automate Cybersecurity Tasks with PythonVICTOR MAESTRE RAMIREZ

Open Chain Q2 Steering Committee Meeting - 2025-06-25Shane Coughlan

MiniTool Partition Wizard 12.8 Crack License Key LATESThashhshs786

Alexander Marshalov - How to use AI Assistants with your Monitoring system Q2...VictoriaMetrics

Hardware(Central Processing Unit ) CU and ALURizwanaKalsoom2

Android secure coding

5. © Blueinfy Solutions Writing to file • When opening file for writing, make sure to open it in private mode as shown below – String FILENAME = “temp"; String string = “token”; FileOutputStream fos = openFileOutput(FILENAME, Context.MODE_PRIVATE); fos.write(string.getBytes()); fos.close();

6. © Blueinfy Solutions Local Storage – Secure Method • Encrypt the data using strong encryption, possibly AES • Do not decrypt the data at client side • Send Encrypted Data to the server • Server decrypts the data before validating it

7. © Blueinfy Solutions Securing Secrets • AES encryption to store secret information and making secure storage. • APIs and Libs for it. • Random cookies and keys. • Not to open and shared storage. • Cache and File writing is not enough. • Design level strategy for it.

11. © Blueinfy Solutions Cache with WebView • By default, webView control caches all request and response • Some of the filenames are – – webviewCache.db – webview.db-shm – webview.db-wal – webviewCookiesChromium.db – webviewCookiesChromiumPrivate.db – imagecache.db

13. © Blueinfy Solutions SSL Implementation • Application sends request to server over SSL (Secure Way) • Most application fails to handle SSL certificate validation error on the client side • Only certificate from the OWNER server and sub-domain should be allowed

15. © Blueinfy Solutions Copy/Paste in the text fields • Services are shared between all the applications • Attacker can write malicious program to monitor clipboard to get access to sensitive data if copy/paste is not disabled • Copy/Paste must be disabled on the sensitive fields

16. © Blueinfy Solutions Screenshot in temporary files • Pressing HOME button takes screenshot of the last screen and saves it in local storage • To disable this, manifest file needs to be updated under Activity Tag

17. © Blueinfy Solutions Protecting IP • Unlike iOS, there is no encryption supported by android platform • Possible to Decompile binary and get access to source code • “ProGuard” can be leveraged to protect against Decompile

18. © Blueinfy Solutions Code Analysis with AppCodeScan • Semi automated tool • Ability to expand with custom rules • Simple tracing utility to verify and track vulnerabilities • Simple HTML reporting which can be converted to PDF

Android secure coding

More Related Content

What's hot (20)

Similar to Android secure coding (20)

More from Blueinfy Solutions (13)

Recently uploaded (20)

Android secure coding