A Guide on Securing Android Apps and Understanding Android Security

There are over 3 billion Android users worldwide, and most of them store their sensitive data on personal mobile devices, making these devices an attractive target for malicious hackers. That being said, developers must prioritize the security of their Android applications since cyber attacks remain an acute issue in the IT environment. In this article, we discuss the main aspects of securing Android apps and list the best security practices for securing Android apps.

The biggest Android security threats

Before discussing security best practices, it is important to understand the main mobile vulnerabilities and platform-specific threats that Android developers should know. Based on that knowledge, you will be able to review your current security strategy and reinforce it for better efficiency.

Common vulnerabilities

Threats listed below are not specific to the Android platform, but it’s critical to know about them in order to code securely and to ensure that your app is protected on all levels.

Malware: remains one of the most acute security issues and implies using malicious software to “infect” or hack one’s device. Due to its open system, Android is prone to various malware attacks like trojans or ransomware and thus requires developers to take extra precautions to secure the app from potential attacks.

Data breaches: happen when an unauthorized user accesses private information. This type of attack causes a significant negative impact on the organization and can result in identity theft and massive financial losses. 

Insecure data transfers: happen while transferring the data over unsecured communication channels. In such cases, it becomes easier for attackers to steal the data, especially if it is not protected by encryption.

Phishing: an attack aimed at making the user reveal their personal information. The attack often focuses on obtaining one’s credentials or credit card information. The most common phishing example is an email that asks to follow a link. By doing so, a user will most likely have to enter the password and login on a fake website and thus will reveal them to the hacker.

Security threats unique to the Android environment

Now let’s look at some of the vulnerabilities unique to the Android environment. They usually occur due to the specifics of the platform and thus require extra attention from the developers:

Changes in the OS by the manufacturer: most often occur in cheap devices where manufacturers do not pay enough attention to poorly designed apps and instead, turn off certain limitations on a system level. In this case, it becomes easy for hackers to breach the system since the updates are not received on time and the manufacturer leaves plenty of loopholes in the device’s security.

Root access: normally, on Android devices, only the kernel and a limited number of small services run with root permissions. However, it is possible to change root access configurations. In this case, users open the way to attackers and grant them access to system files, which may lead to very serious consequences.  

Custom firmware upgrades: same as with root access configuration, the custom upgrade of firmware makes the device and the system more vulnerable since you change the initial security settings. 

Apps from various sources: since it’s relatively easy to install an app from an external source on an Android device, the risks of this app being compromised or corrupted increase greatly. Users and developers have to be extra cautious about app installation, especially from non-trusted or unverified sources.

Core components of the Android app security

Now, let’s talk about the core components of Android application security solutions. It is critical to understand them and the way they function so you can build your development strategy around them.

Linux security

The Linux kernel serves as the foundation of the platform and offers several built-in security features: 

• User-based permissions;
• Process isolation;
• A specific mechanism for secure IPC;
• An option to remove parts of the kernel that seem not secure enough.

The core objective of the kernel is to isolate user resources and protect them from one another. In addition to that, isolation of resources is also achieved via App Sandbox.

App Sandbox

Application Sandbox is a critical component of Android’s security that isolates apps from each other. In this way, every app functions in its own “sandbox,” having no access to the other app’s resources or data. Hence, if there is a corrupted application on the device, it won’t impact other apps, which significantly minimizes potential damage.

App-defined and user-granted permissions

Proper configuration of permissions is critical in order to protect sensitive information and limit access to important resources. Android offers robust permissions management from the start by having predefined file-system permissions in addition to user-based ones. What it means is that in the Android environment, an application can read or alter only its files. This, in addition to permissions configured by the users, helps enhance the security of the system and safeguard the resources.

Cryptographic APIs

Cryptography is critical for protecting sensitive data and, in the case of Android, it also protects the APIs. Android uses common cryptographic primitives like AES or DSA for its APIs, thus ensuring that the information is provided and transferred between the apps in a secure manner.

App signing

App signing is a process of verifying the app’s source and ensuring that the updates are trustworthy. Apps are signed with a digital certificate and a private key that provides a unique and almost impossible-to-hack signature from the app’s author. In this way, when an update is released, its signature and the app’s signature must match in order for the app to download the update. Android performs app signing via the keystore and allows signing the app in both debug or release modes.

These were some of the core components of Android app security – for more detailed information, please see the official Android documentation available online.

Android security tips: how to incorporate security measures during the app development lifecycle?

While Android offers robust security tools, it is the responsibility of developers to use them correctly and implement security on all levels of an Android application. This can be done by following Android security tips and best practices and by implementing them at every stage of the app development process:

• Research and planning: this stage requires the definition of security requirements and the conduction of threat modeling so you build the future processes around them.
• Mobile app development: follow secure coding practices that imply a proactive (instead of reactive) approach towards the app’s security and implement all needed measures like encryption or multi-factor user authentication.
• Testing: this stage involves the performance of multiple tests with a specific focus on security. Examples of these tests are penetration testing and vulnerability scanning.
• App deployment: before the app is deployed, pay attention to server security and review permissions configuration to prevent unauthorized users from accessing sensitive information.
• Maintenance: introduce regular updates and patches and audits to ensure that the implemented changes do not compromise the sensitive data and the app in general. 

Best practices for securing Android apps

To create a safeguarded app from the start, it is important to follow mobile application security best practices listed below:

Secure web traffic

Since a great amount of sensitive data is transmitted via the network, attackers often try to intercept the data transfer and retrieve sensitive information. Thus, it is recommended to secure the web traffic by doing the following:

• Configure the permissions of the AndroidManifest.xml file so the in-app traffic is entrusted to the network;
• Use HTTPS for network connections to make them more secure and to encrypt the transmitted data;
• Check and update the list of trusted certificates so a malicious program that is not on the list won’t be able to read the app’s traffic.

Protect the data

If an attacker manages to access the app and its resources, unsecured data becomes an easy target and can be stolen, compromised, or corrupted. To minimize potential risks, here are a few tips on securing your data:

• Encryption: should be used for all sensitive data so the hackers cannot read and understand it. You can use built-in libraries that Android provides to facilitate the encryption process.
• Minimize the use of APIs: if there are APIs that have access to sensitive data, try minimizing their use to reduce the potential risks of data theft;
• Implement strong authentication: use two-factor authentication and such methods as Credential Manager or passkeys to enhance the security of user credentials.

Review third-party dependencies

When your app is using any third-party libraries, you need to double-check the dependencies carefully, as you never know how secure these libraries are. If there is a vulnerability in the library, it can be exploited by hackers to access the app’s sensitive data, which is exactly what happened with the Android Jetpack Navigation.

Android Jetpack Navigation is a tool for handling screens and navigation in the app, but upon its release, it had a flaw: the library allowed hackers to open hidden screens of the application via fake deep links. Upon investigating the issue, Google considered it a developer oversight but that’s not entirely correct – this flaw is an existing vulnerability that should be treated correspondingly. Of course, fixes are already out, and the library is safe to use, but the main point remains the same: when working with third-party libraries, carefully review the dependencies and focus on securing your app on all levels to avoid potential data breaches.

Implement code obfuscation

Code obfuscation is the process of making the code too complex for reverse engineering and is one of the security practices recommended by OWASP. The main goal of obfuscation is to make an application almost impossible to decompile or disassemble. In this way, if a code is retrieved by hackers, it will be highly difficult to parse. In Android, developers use the ProGuard tool to launch the obfuscation process in the beginning of the development.

Perform regular audits

Even though developers thoroughly test the apps before releasing them, it doesn’t mean that security audits stop once the app is launched. Because of the addition of new features and potential app modifications and upgrades, new vulnerabilities might appear. This is why it is essential to regularly perform audits and ensure that the app remains secured and that implemented changes did not cause vulnerabilities. Also, keep in mind that cyber threats constantly evolve, thus forcing developers to adjust their security practices correspondingly.

Expert Opinion

Judging by my experience with Android development, I can say that this OS has robust security features out of the box. By using these tools, you will be able to establish an effective security layer around the critical components of your application and will be able to protect it against the most common threats. 

However, it is also critical for developers to pay attention to third-party systems that they integrate into their apps, as this is one of the main sources of vulnerabilities. As described in the example with the Android Jetpack Navigation library, sometimes readymade solutions are released with critical flaws – and if your app is not secured in advance, these vulnerabilities can greatly impact the integrity of the data. So always double-check the tools that you want to use before installing them and try implementing security measures in advance. 

Android developer at SoftTeco

Anton Savich

OWASP MAVS best practices

OWASP stands for the Open Worldwide Application Security Project and is one of the most reliable organizations that provide standards and best practices for cyber security. As for mobile, OWASP offers OWASP MAVS – a Mobile Application Security Verification Standard. Mobile developers can use it to create secured applications and to ensure that the main threat vectors are taken into consideration.

This standard includes several control groups that cover the most common areas of the attack surface. Examples of these control groups:

• MAVS – STORAGE: focuses on the security of the storage;
• MAVS – CRYPTO: encryption of the sensitive data;
• MAVS – AUTH: authentication and authorization methods in use;
• MAVS – CODE: best practices for coding and data processing.

It is highly recommended to see the official OWASP documentation on mobile security and check your application against the OWASP checklist. In this way, you will be able to enhance the existing strategy and identify the biggest risk areas and vulnerabilities.

Key tools to enhance Android security

Android provides a plethora of security tools to work with, so let’s take a look at the most common ones:

• Keystore: a system for storing and managing cryptographic keys, thus protecting sensitive information. It enables the keys to be hardware-protected and never leave the device.
• Keychain: a system for securely managing user credentials like login information and passwords and to use them securely across the apps. 
• TEE Android: a Trusted Execution Environment is separated from the main Android OS, thus allowing a more secure way to process sensitive data. TEE is often used for critical tasks such as biometric authentication or digital rights management (DRM).
• StrongBox: a password manager that integrates with Android Keystore and uses a Secure Element hardware-backed security module. StrongBox is used for high-level security, such as management of critical keys.
• Biometric: a framework for biometric authentication such as face recognition or fingerprint authentication. This tool enables developers to effectively implement biometric authentication in their apps across various platforms.
• VCG scanner: it is an automated code security review tool that helps detect vulnerabilities and compliance issues in the app. 

Summing up

While Android provides a plethora of built-in security features and tools, developers should also take responsibility for securing Android apps and ensuring they function in a secure environment. For that, it is recommended to implement secure coding best practices and to perform regular security audits in accordance with the industry standards. In this way, you will be able to safeguard the app against potential future attacks and minimize the damage in case of a data breach.