the ultimate security checklist before launching your android app

The Ultimate Security Checklist Before Launching Your Android App

Enterprise Grade Mobile Security

Use the Android Application Sandbox, which isolates your app data and code execution from other apps.

1.


Use an encrypted filesystem that can be enabled to protect data on lost or stolen devices.

2.


Ensure that the registration and activation process is robust.

3.


Minimize the number of permissions that your app requests.

4.


Have application-defined permissions to control application data on a per-app basis.

5.


Have user-granted permissions to restrict access to system features and user data.

6.


Do not store sensitive information on external storage, such as SD Cards. These are globally readable and writable.

7.


Apply caution using network transactions because it involves transmitting data that is potentially private to the user.

8.


Perform strong input validations. Insufficient input validation is a common security problem affecting applications, regardless of the platform they run on.

9.


Native code that gets received over the network or from an IPC is vulnerable to threat. You can prevent it by careful handling pointers & managing buffers.

10.


If you are using data within queries that are submitted to an SQL database or a content provider, SQL injection may be an issue. The best defense is to use parameterized queries.

11.


Apply caution in using WebView because it consumes web content like HTML & JavaScript - improper use leads to web security issues such as cross-site-scripting (JavaScript injection).

12.


Minimize the frequency of asking for user credentials—it makes phishing attacks more conspicuous, and less likely to be successful.

Instead use an authorization token and refresh it.

13.


Android provides algorithms for protecting data using cryptography such as supporting full-filesystem encryption & providing secure communication channels.

14.


A few apps implement IPC using traditional Linux techniques such as network sockets and shared files. Use Android system functionality for IPC such as Intent, Binder or Messenger with a Service, and BroadcastReceiver.

15.


Intents are the preferred mechanism for asynchronous IPC in Android. Depending on your application requirements, you might use sendBroadcast(), sendOrderedBroadcast(), or an explicit intent to a specific application component.

16.


Using Binder or Messenger is the preferred mechanism for RPC-style IPC in Android. They provide a well-defined interface that enables mutual authentication of the endpoints, if required.

17.


Do not load code from outside of your application APK. It significantly increases the likelihood of application compromise due to code injection or code tampering.

18.


Maintain security of the backend APIs (services) and the platform (server).

19.


Ensure secure distribution and provisioning of mobile applications.

20.


Use encrypted communications between clients and servers through properly configured SSL.

21.


CONCLUSION

Here you go with the 21 most essential checks that you should perform before launching your Android App. Even if you already have, it would

be a good revisit.


REGISTER FOR A FREE SECURITY SCAN

Appknox helps you unlock the security issues in your mobile app & suggests immediate action!

Register Now!


http://try.appknox.com/free-mobile-app-security-scan-1/

http://try.appknox.com/free-mobile-app-security-scan-1/

the ultimate security checklist before launching your android app

Technology