SlideShare a Scribd company logo

Android secure coding

Download as PPT, PDF
B
Blueinfy Solutions

The document discusses various secure coding practices for Android applications. It covers secure ways to handle local storage such as encrypting data before storing and not decrypting at the client side. It also discusses securing secrets with AES encryption and not relying on shared storage. The document provides code samples for sending encrypted data in JSON, verifying SSL certificates, disabling copy/paste and screenshots. It suggests using ProGuard to protect against decompiling code and analyzing code for vulnerabilities.

Software
1 of 20
Downloaded 19 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
© Blueinfy Solutions Secure Coding For Android Applications
© Blueinfy Solutions Local Storage - Example • Remember me option – NOT SECURE WAY
© Blueinfy Solutions Token stored • On local file – NOT SECURE WAY
© Blueinfy Solutions Shared Preferences • SHARED PREFERENCE – NOT SECURE WAY
© Blueinfy Solutions Writing to file • When opening file for writing, make sure to open it in private mode as shown below – String FILENAME = “temp"; String string = “token”; FileOutputStream fos = openFileOutput(FILENAME, Context.MODE_PRIVATE); fos.write(string.getBytes()); fos.close();
© Blueinfy Solutions Local Storage – Secure Method • Encrypt the data using strong encryption, possibly AES • Do not decrypt the data at client side • Send Encrypted Data to the server • Server decrypts the data before validating it
© Blueinfy Solutions Securing Secrets • AES encryption to store secret information and making secure storage. • APIs and Libs for it. • Random cookies and keys. • Not to open and shared storage. • Cache and File writing is not enough. • Design level strategy for it.
© Blueinfy Solutions Secure Method – Sample Code
© Blueinfy Solutions Sending Encrypted in JSON
© Blueinfy Solutions Secure
© Blueinfy Solutions Cache with WebView • By default, webView control caches all request and response • Some of the filenames are – – webviewCache.db – webview.db-shm – webview.db-wal – webviewCookiesChromium.db – webviewCookiesChromiumPrivate.db – imagecache.db
© Blueinfy Solutions Sample code to clear the cache
© Blueinfy Solutions SSL Implementation • Application sends request to server over SSL (Secure Way) • Most application fails to handle SSL certificate validation error on the client side • Only certificate from the OWNER server and sub-domain should be allowed
© Blueinfy Solutions Verify SSL Server – Sample Code
© Blueinfy Solutions Copy/Paste in the text fields • Services are shared between all the applications • Attacker can write malicious program to monitor clipboard to get access to sensitive data if copy/paste is not disabled • Copy/Paste must be disabled on the sensitive fields
© Blueinfy Solutions Screenshot in temporary files • Pressing HOME button takes screenshot of the last screen and saves it in local storage • To disable this, manifest file needs to be updated under Activity Tag
© Blueinfy Solutions Protecting IP • Unlike iOS, there is no encryption supported by android platform • Possible to Decompile binary and get access to source code • “ProGuard” can be leveraged to protect against Decompile
© Blueinfy Solutions Code Analysis with AppCodeScan • Semi automated tool • Ability to expand with custom rules • Simple tracing utility to verify and track vulnerabilities • Simple HTML reporting which can be converted to PDF
© Blueinfy Solutions Sample Rules - Android
© Blueinfy Solutions Conclusion

More Related Content

What's hot (20)

PDF
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Sam Bowne
 
PDF
CNIT 129S - Ch 3: Web Application Technologies
Sam Bowne
 
PDF
CNIT 129S: Securing Web Applications Ch 1-2
Sam Bowne
 
PDF
CNIT 129S: Ch 3: Web Application Technologies
Sam Bowne
 
PPTX
Using & Abusing APIs: An Examination of the API Attack Surface
CA API Management
 
PPTX
Api security
teodorcotruta
 
PDF
CNIT 129: 6. Attacking Authentication
Sam Bowne
 
PDF
Protecting Your APIs Against Attack & Hijack
CA API Management
 
PDF
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
Sam Bowne
 
PDF
Security vulnerabilities decomposition
Katy Anton
 
PPTX
Deep thoughts from the real world of azure
Michele Leroux Bustamante
 
PDF
CNIT 129S: Ch 5: Bypassing Client-Side Controls
Sam Bowne
 
PDF
CNIT 129S: Ch 6: Attacking Authentication
Sam Bowne
 
PDF
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
Sam Bowne
 
PDF
CNIT 129S: Ch 4: Mapping the Application
Sam Bowne
 
PDF
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
Sam Bowne
 
PPTX
Core defense mechanisms against security attacks on web applications
Karan Nagrecha
 
PDF
CNIT 129S: 8: Attacking Access Controls
Sam Bowne
 
PDF
CNIT 129S - Ch 6a: Attacking Authentication
Sam Bowne
 
PPTX
Design Practices for a Secure Azure Solution
Michele Leroux Bustamante
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Sam Bowne
 
CNIT 129S - Ch 3: Web Application Technologies
Sam Bowne
 
CNIT 129S: Securing Web Applications Ch 1-2
Sam Bowne
 
CNIT 129S: Ch 3: Web Application Technologies
Sam Bowne
 
Using & Abusing APIs: An Examination of the API Attack Surface
CA API Management
 
Api security
teodorcotruta
 
CNIT 129: 6. Attacking Authentication
Sam Bowne
 
Protecting Your APIs Against Attack & Hijack
CA API Management
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
Sam Bowne
 
Security vulnerabilities decomposition
Katy Anton
 
Deep thoughts from the real world of azure
Michele Leroux Bustamante
 
CNIT 129S: Ch 5: Bypassing Client-Side Controls
Sam Bowne
 
CNIT 129S: Ch 6: Attacking Authentication
Sam Bowne
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
Sam Bowne
 
CNIT 129S: Ch 4: Mapping the Application
Sam Bowne
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
Sam Bowne
 
Core defense mechanisms against security attacks on web applications
Karan Nagrecha
 
CNIT 129S: 8: Attacking Access Controls
Sam Bowne
 
CNIT 129S - Ch 6a: Attacking Authentication
Sam Bowne
 
Design Practices for a Secure Azure Solution
Michele Leroux Bustamante
 

Similar to Android secure coding (20)

PPTX
Android App Security.pptx
Vandana Singh
 
PDF
9 Writing Secure Android Applications
Sam Bowne
 
PDF
(ISC)2 Kamprianis - Mobile Security
Michalis Kamprianis
 
PDF
Android security and penetration testing | DIVA | Yogesh Ojha
Yogesh Ojha
 
PDF
Android App Hacking - Erez Metula, AppSec
DroidConTLV
 
PPTX
Security Tips for Android App - iTrobes
iTrobes
 
ODP
Dos and Don'ts of Android Application Security (Security Professional Perspec...
Bijay Senihang
 
PDF
Security testing in mobile applications
Jose Manuel Ortega Candel
 
PDF
CNIT 128 9. Writing Secure Android Applications
Sam Bowne
 
PDF
Android Application Security
Chong-Kuan Chen
 
PPTX
Volodymyr Kimak "Security Tips for Android App"
Igor Beliaiev
 
PPT
Mobile application security Guidelines
Entersoft Security
 
PPTX
Mobile App Security: Enterprise Checklist
Jignesh Solanki
 
PPTX
Android security
Mobile Rtpl
 
PDF
Android Application Security from consumer and developer perspectives
Ayoma Wijethunga
 
PPTX
Owasp mobile top 10
Pawel Rzepa
 
PPTX
Android Penetration Testing - Day 3
Mohammed Adam
 
PDF
Hacking Android [MUC:SEC 20.05.2015]
Angelo Rüggeberg
 
PPTX
Security testing of mobile applications
GTestClub
 
PPTX
Untitled 1
Sergey Kochergan
 
Android App Security.pptx
Vandana Singh
 
9 Writing Secure Android Applications
Sam Bowne
 
(ISC)2 Kamprianis - Mobile Security
Michalis Kamprianis
 
Android security and penetration testing | DIVA | Yogesh Ojha
Yogesh Ojha
 
Android App Hacking - Erez Metula, AppSec
DroidConTLV
 
Security Tips for Android App - iTrobes
iTrobes
 
Dos and Don'ts of Android Application Security (Security Professional Perspec...
Bijay Senihang
 
Security testing in mobile applications
Jose Manuel Ortega Candel
 
CNIT 128 9. Writing Secure Android Applications
Sam Bowne
 
Android Application Security
Chong-Kuan Chen
 
Volodymyr Kimak "Security Tips for Android App"
Igor Beliaiev
 
Mobile application security Guidelines
Entersoft Security
 
Mobile App Security: Enterprise Checklist
Jignesh Solanki
 
Android security
Mobile Rtpl
 
Android Application Security from consumer and developer perspectives
Ayoma Wijethunga
 
Owasp mobile top 10
Pawel Rzepa
 
Android Penetration Testing - Day 3
Mohammed Adam
 
Hacking Android [MUC:SEC 20.05.2015]
Angelo Rüggeberg
 
Security testing of mobile applications
GTestClub
 
Untitled 1
Sergey Kochergan
 
Ad

More from Blueinfy Solutions (13)

PDF
Mobile security chess board - attacks & defense
Blueinfy Solutions
 
PPT
Source Code Analysis with SAST
Blueinfy Solutions
 
PPT
HTML5 hacking
Blueinfy Solutions
 
PDF
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
PPT
XSS - Attacks & Defense
Blueinfy Solutions
 
PPT
Defending against Injections
Blueinfy Solutions
 
PPT
XPATH, LDAP and Path Traversal Injection
Blueinfy Solutions
 
PPT
Blind SQL Injection
Blueinfy Solutions
 
PPT
Application fuzzing
Blueinfy Solutions
 
PPT
SQL injection basics
Blueinfy Solutions
 
PPT
Assessment methodology and approach
Blueinfy Solutions
 
PPT
HTTP protocol and Streams Security
Blueinfy Solutions
 
PPT
Advanced applications-architecture-threats
Blueinfy Solutions
 
Mobile security chess board - attacks & defense
Blueinfy Solutions
 
Source Code Analysis with SAST
Blueinfy Solutions
 
HTML5 hacking
Blueinfy Solutions
 
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
XSS - Attacks & Defense
Blueinfy Solutions
 
Defending against Injections
Blueinfy Solutions
 
XPATH, LDAP and Path Traversal Injection
Blueinfy Solutions
 
Blind SQL Injection
Blueinfy Solutions
 
Application fuzzing
Blueinfy Solutions
 
SQL injection basics
Blueinfy Solutions
 
Assessment methodology and approach
Blueinfy Solutions
 
HTTP protocol and Streams Security
Blueinfy Solutions
 
Advanced applications-architecture-threats
Blueinfy Solutions
 
Ad

Recently uploaded (20)

PDF
Dipole Tech Innovations – Global IT Solutions for Business Growth
dipoletechi3
 
PDF
Download Canva Pro 2025 PC Crack Full Latest Version
bashirkhan333g
 
PPTX
Comprehensive Risk Assessment Module for Smarter Risk Management
EHA Soft Solutions
 
PDF
ERP Consulting Services and Solutions by Contetra Pvt Ltd
jayjani123
 
PDF
AI Prompts Cheat Code prompt engineering
Avijit Kumar Roy
 
PPTX
Library_Management_System_PPT111111.pptx
nmtnissancrm
 
PPTX
Build a Custom Agent for Agentic Testing.pptx
klpathrudu
 
PPTX
Milwaukee Marketo User Group - Summer Road Trip: Mapping and Personalizing Yo...
bbedford2
 
PDF
How to Hire AI Developers_ Step-by-Step Guide in 2025.pdf
DianApps Technologies
 
PDF
MiniTool Partition Wizard Free Crack + Full Free Download 2025
bashirkhan333g
 
PDF
Everything you need to know about pricing & licensing Microsoft 365 Copilot f...
Q-Advise
 
PPTX
prodad heroglyph crack 2.0.214.2 Full Free Download
cracked shares
 
PDF
intro_to_cpp_namespace_robotics_corner.pdf
MohamedSaied877003
 
PDF
IObit Driver Booster Pro 12.4.0.585 Crack Free Download
henryc1122g
 
PPTX
Agentic Automation: Build & Deploy Your First UiPath Agent
klpathrudu
 
PDF
Why is partnering with a SaaS development company crucial for enterprise succ...
Nextbrain Technologies
 
PDF
AOMEI Partition Assistant Crack 10.8.2 + WinPE Free Downlaod New Version 2025
bashirkhan333g
 
PDF
Meet in the Middle: Solving the Low-Latency Challenge for Agentic AI
Alluxio, Inc.
 
PDF
UITP Summit Meep Pitch may 2025 MaaS Rebooted
campoamor1
 
PPTX
Smart Doctor Appointment Booking option in odoo.pptx
AxisTechnolabs
 
Dipole Tech Innovations – Global IT Solutions for Business Growth
dipoletechi3
 
Download Canva Pro 2025 PC Crack Full Latest Version
bashirkhan333g
 
Comprehensive Risk Assessment Module for Smarter Risk Management
EHA Soft Solutions
 
ERP Consulting Services and Solutions by Contetra Pvt Ltd
jayjani123
 
AI Prompts Cheat Code prompt engineering
Avijit Kumar Roy
 
Library_Management_System_PPT111111.pptx
nmtnissancrm
 
Build a Custom Agent for Agentic Testing.pptx
klpathrudu
 
Milwaukee Marketo User Group - Summer Road Trip: Mapping and Personalizing Yo...
bbedford2
 
How to Hire AI Developers_ Step-by-Step Guide in 2025.pdf
DianApps Technologies
 
MiniTool Partition Wizard Free Crack + Full Free Download 2025
bashirkhan333g
 
Everything you need to know about pricing & licensing Microsoft 365 Copilot f...
Q-Advise
 
prodad heroglyph crack 2.0.214.2 Full Free Download
cracked shares
 
intro_to_cpp_namespace_robotics_corner.pdf
MohamedSaied877003
 
IObit Driver Booster Pro 12.4.0.585 Crack Free Download
henryc1122g
 
Agentic Automation: Build & Deploy Your First UiPath Agent
klpathrudu
 
Why is partnering with a SaaS development company crucial for enterprise succ...
Nextbrain Technologies
 
AOMEI Partition Assistant Crack 10.8.2 + WinPE Free Downlaod New Version 2025
bashirkhan333g
 
Meet in the Middle: Solving the Low-Latency Challenge for Agentic AI
Alluxio, Inc.
 
UITP Summit Meep Pitch may 2025 MaaS Rebooted
campoamor1
 
Smart Doctor Appointment Booking option in odoo.pptx
AxisTechnolabs
 

Android secure coding

  • 1. © Blueinfy Solutions Secure Coding For Android Applications
  • 2. © Blueinfy Solutions Local Storage - Example • Remember me option – NOT SECURE WAY
  • 3. © Blueinfy Solutions Token stored • On local file – NOT SECURE WAY
  • 4. © Blueinfy Solutions Shared Preferences • SHARED PREFERENCE – NOT SECURE WAY
  • 5. © Blueinfy Solutions Writing to file • When opening file for writing, make sure to open it in private mode as shown below – String FILENAME = “temp"; String string = “token”; FileOutputStream fos = openFileOutput(FILENAME, Context.MODE_PRIVATE); fos.write(string.getBytes()); fos.close();
  • 6. © Blueinfy Solutions Local Storage – Secure Method • Encrypt the data using strong encryption, possibly AES • Do not decrypt the data at client side • Send Encrypted Data to the server • Server decrypts the data before validating it
  • 7. © Blueinfy Solutions Securing Secrets • AES encryption to store secret information and making secure storage. • APIs and Libs for it. • Random cookies and keys. • Not to open and shared storage. • Cache and File writing is not enough. • Design level strategy for it.
  • 8. © Blueinfy Solutions Secure Method – Sample Code
  • 9. © Blueinfy Solutions Sending Encrypted in JSON
  • 11. © Blueinfy Solutions Cache with WebView • By default, webView control caches all request and response • Some of the filenames are – – webviewCache.db – webview.db-shm – webview.db-wal – webviewCookiesChromium.db – webviewCookiesChromiumPrivate.db – imagecache.db
  • 12. © Blueinfy Solutions Sample code to clear the cache
  • 13. © Blueinfy Solutions SSL Implementation • Application sends request to server over SSL (Secure Way) • Most application fails to handle SSL certificate validation error on the client side • Only certificate from the OWNER server and sub-domain should be allowed
  • 14. © Blueinfy Solutions Verify SSL Server – Sample Code
  • 15. © Blueinfy Solutions Copy/Paste in the text fields • Services are shared between all the applications • Attacker can write malicious program to monitor clipboard to get access to sensitive data if copy/paste is not disabled • Copy/Paste must be disabled on the sensitive fields
  • 16. © Blueinfy Solutions Screenshot in temporary files • Pressing HOME button takes screenshot of the last screen and saves it in local storage • To disable this, manifest file needs to be updated under Activity Tag
  • 17. © Blueinfy Solutions Protecting IP • Unlike iOS, there is no encryption supported by android platform • Possible to Decompile binary and get access to source code • “ProGuard” can be leveraged to protect against Decompile
  • 18. © Blueinfy Solutions Code Analysis with AppCodeScan • Semi automated tool • Ability to expand with custom rules • Simple tracing utility to verify and track vulnerabilities • Simple HTML reporting which can be converted to PDF
  • 19. © Blueinfy Solutions Sample Rules - Android