3 Things to Make Your App Really Secure
With mobile device being our gate to our digital and real life, App developers must take security very seriously. While some Android Developer are considered or consider themselves as Frontend Developers, I do believe they are much more and it is our responsibility to understand how our users’ data is transferred, stored and processed and how we can protect this data.
In this article mini-serie, I will take you through 3 things (that don’t require too much hassle) to implement in order to improve your app security tremendously. Covering Database, SharedPreferences and Network.
Individual in-depth articles for each topic will follow shortly.
SecureSharedPreferences for safe SharedPreferences
The AndroidX team has released this library a few month ago, and I really hope it becomes just a standard. Currently in RC3, we can expect a release soon.
I guess, I need to provide an appropriate disclaimer, given it is not (yet) a release, production ready version. Please proceed with appropriate caution, you may want to check your company policy for instance.
How
This new AndroidX library is encrypting/decrypting on-the-fly SharedPreferences. It supports AES256 with a master key.
It is entirely compatible with SharedPreference interface, which make the migration very easy.
UPDATE: here is a full tutorial
Drawbacks
The performance drawback is negligible, given small chunks of data are saved in SharedPreferences usually.
Encrypt your SQLite database effortlessly with SQLCipher
If you store any data in Room, you must know that it is not encrypted. SQLCipher is adding a security layer to SQLite without jeopardising your application architecture.
How
Your SQL requests and DAO remain the same. You can continue to use Room as usual, for the developer it is totally transparent. SQLCipher is implementing an encryption layer to encrypt/decrypt data on-the-fly. It supports AES256 with a master key.
UPDATE: here is a full tutorial
Drawbacks
Performance might be slightly impacted, but nothing really noticeable, unless you are processing tons of data. SQLCipher is providing a tools to understand how it is doing performance wise. I also recommending reading this short article that give some insights about SQLCipher.
Implement SSLPinning with OkHTTP/Retrofit
Now that the data we store and process is safe, let’s see what we can do with the data we exchange. A very common attack is Man-in-the-middle, which basically consists of an attacker intercepting the network traffic without the user noticing anything.
I assume you already use HTTPS to exchange data with your server. If this is not the case, start with that!
How
The idea of SSL Pinning is to make sure the server you are communicating with is authentic. SSL Certificates come with a hash, like SHA1, SHA256 which is a fingerprint of the certificate.
With SSL Pinning, we are going to verify that the fingerprint of the certificate we are communicating with is the one we expect.
This can be achieved with CertificatePinner for OkHTTP. It allows you to set what certificate PINs you would like to support.
Drawbacks
The verification is very quick as it’s basically comparing two string. However, be mindful that certificate expires at some point (and the SHA256 with it) therefore make sure you provide the new fingerprint to your CertificatePinner in a timely fashion, so your app doesn’t stop working.
Conclusion
We have seen 3 ways to improve your app security as well as your users’ data. Each of them can be implemented in a very reasonable time frame, so there is no excuses to not do it.
Stay tuned for the upcoming articles in this serie which will describe the implementation/migration for each of these components.
One More Thing
Thanks for reading this article, if you are into Android Development, I encourage you to download Android Developer News to stay up-to-date.
