This document discusses best practices for increasing app security, including using internal storage for sensitive data, encrypting any stored data, using HTTPS for network requests, pinning certificates to prevent man-in-the-middle attacks, and notifying users to update apps when security configurations change. It emphasizes that Android itself is not fully secure, but following guidelines like these can help make apps less vulnerable to abuse or tampering. The key recommendations are to prioritize data privacy, use encrypted network connections, pin certificates for authentication, and maintain the security of the app over time with updates.

1. Safety first
Best practices in app security
ANA BAOTIĆ
TECHNICAL MANAGER, MOBILE BANKING @ INFINUM

2. We're an independent
design &
development
agency.

4. HOW TO INCREASE SECURITY
BUILD INTEGRITY
DATA PRIVACY
NETWORK SECURITY

5. THINGS TO ADD TO A NEW PROJECT
Release keystore
Obfuscation

6. KEYSTORE
Should be used for ALL builds
You should NEVER lose it
No one should EVER acquire it

8. signingConfigs {
release {
storeFile file("myapp.keystore")
storePassword "password123"
keyAlias "keyAlias"
keyPassword "password789"
}
}
DO NOT!

9. DO!
gradle.properties
KEYSTORE_PASSWORD=password123
KEY_PASSWORD=password789

10. try {
storeFile file("myapp.keystore")
storePassword KEYSTORE_PASSWORD
keyAlias "keyAlias"
keyPassword KEY_PASSWORD
} catch (ex) {
throw new InvalidUserDataException(“…”)
}

11. OBFUSCATION
Proguard
DexGuard
DexProtector

12. release {
minifyEnabled true
proguardFiles getDefaultProguardFile(
'proguard-android.txt'), ‘proguard-rules.txt'
signingConfig signingConfigs.release
}

13. public abstract class e {
private int a = -1;
private String b = null;
protected boolean k = false;
public abstract void a(Intent var1);
public void run() {
this.a((Intent)null);
}
protected final void a(String var1) {
this.b = var1;
}
public final void c() {
this.a = -1;
this.b = null;
}
public final boolean d() {
return this.k;
}
}

14. WILL THIS KEEP THE APK SAFE?
No.

16. TAMPERING DETECTION
Verify signing certificate at runtime
Verify the installer
context.getPackageManager()
.getInstallerPackageName(context.getPackageName())
.startsWith("com.android.vending")
Check if app is debuggable (or run on emulator)

17. DATA PRIVACY

18. USERS ARE SENSITIVE ABOUT THEIR DATA

19. WAYS TO STORE (AND RETRIEVE) DATA
Internal storage
External storage
Content providers

20. INTERNAL STORAGE
Is (generally) sufficiently safe
Private to the your app

21. EXTERNAL STORAGE
Globally readable and writable

22. CONTENT PROVIDERS
Structured storage mechanism
Can be exported to allow access by other apps

23. <provider
android:name="com.example.android.datasync.provider.StubProvider"
android:authorities="com.example.android.datasync.provider"
android:exported="false"/>
android:protectionLevel="signature"

24. SHARED PREFERENCES
Useful for primitive key-value based data

25. private readable safe
Internal storage yes yes yes
External
storage
no yes no
Content
providers
depends yes yes
Shared prefs. yes yes yes

26. SO EVERYTHING IS FINE?
Yes, until you root the device.

28. USE LIBRARIES
Bouncy Castle
Spongy Castle
Keyczar
AeroGear Crypto
Conceal

29. ENCRYPT USING A PIN/PASSWORD
4 digits - 10 000 attempts
No effort to crack or even guess

30. BCRYPT
Key derivation function
Slow
Cost of the hash function depends on the work factor

31. CAN DATA REMAIN PRIVATE?
Rooting your device allows access
Not encrypting allows (mis)use

32. NETWORK SECURITY

34. HTTP
Still (frequently) used
MiTM

35. HTTPS
Encrypts data
Validation of server’s identity

36. android:usesCleartextTraffic="false"
ANDROID M
StrictMode.setVmPolicy(
new StrictMode.VmPolicy.Builder()
.detectCleartextNetwork()
.penaltyLog().build());

37. ANDROID N
Network Security Configuration feature
Finer grained control

39. CERTIFICATE PINNING
Defines which CAs are trusted
Reduces effectiveness of MiTM

40. okhttpbuilder
.pinClientCertificate(resources,
R.raw.client_cert, "pass".toCharArray(), “PKCS12”)
.pinServerCertificates(resources,
R.raw.server_cert, "pass".toCharArray(), "BKS")
.build();
return new OkClient(client);

41. WHAT IF THE CERTIFICATES CHANGE?

42. INFORM THE USERS
Implement a mechanism for notifying users
(GCM) and forcing updates

43. PLAN AHEAD
Check server security’s impact on Android
devices
https://www.ssllabs.com/

45. INCLUDE THE CLIENT IN THE PROCESS
Keep them up-to-date
Help them understand risks and advise them
Insist on updates and security patches

46. RECAP

47. ANDROID IS NOT SECURE
But you can make it less easy to abuse

48. THINGS TO REMEMBER
Use internal storage if applicable
Encrypt data
Use HTTPS
Pin certificates
Be aware of the update cycle

50. REFERENCES
• Gradle configuration
• http://developer.android.com/guide/topics/data/data-
storage.html#db
• https://codahale.com/how-to-safely-store-a-password/
• http://www.developereconomics.com/android-
cryptography-tools-for-beginners/
• https://www.airpair.com/android/posts/adding-tampering-
detection-to-your-android-app

51. REFERENCES
• https://www.ssllabs.com/
• http://developer.android.com/preview/features/security-
config.html
• https://www.ionic.com/mitm-attacks-ssl-pinning-what-is-it-
and-why-you-should-care/

52. Thank you!
Questions?
Visit www.infinum.co or find us on social networks:
infinum.co infinumco infinumco infinum
ANA@INFINUM.CO
@ABAOTIC