Are you interested how to make android app more secure against common threats? He is the one who might help ;) Check out Volodymyr Kimak speech "Security Tips for Android App"
OWASP Ukraine 2017 Security Conference
https://www.facebook.com/events/914991308665427/
7. API Security: Tips
● Use JWT or Bearer Tokens for Session management and
validation, do not rely on mobile app judgements
● Validate every API method properly (parameters, roles and
permissions), even if it is hidden somewhere in the mobile
app
● Do not disclose Direct Object References to backend
entities, because it leads to enumeration and easy guessing
of them
9. Authentication and Authorization: Tips
● Require strong Session management
● Do not store passwords locally, instead store tokens even
for “Remember Me” functionality
● Do not allow users to provide 4-6 digit PIN codes instead of
passwords, use FingerPrint authentication instead
11. Cryptography: Tips
● Store sensitive data locally, only if it is really needed
● Use only modern, strong, approved cryptographic
algorithms, do not create your own crypto
● Use strong random number generators
● Protect your keys in a key vault
● Do not store hardcoded encryption keys in app code
13. Communication: Tips
● Remove all debug HTTP(S) settings
● Use the latest HTTP standards:
○ HTTP 1.1 or HTTP 2.0
○ HTTPS/TLS 1.2
● Verify SSL certificate:
○ Hostname
○ Information (SSL Pinning)
■ Pin Certificate
■ Pin Public Key Info (SPKI)
○ In case of Hybrid app (Xamarin), it is possible to verify certificate on 2 levels (native and
hybrid) to increase security
○ Inform User about SSL error and drop connection
17. Data Storage: Tips
● Use Shared Preferences for only simple app preferences,
but not for sensitive data
● Use KeyStore for storing small amount of sensitive data
● Use Internal Storage for app’s generated content
● Use External Storage for user’s files, but not for sensitive
data, unless you encrypt it
● Use Encrypted Database (Realm or SQLite) for storing large
amount of sensitive data
● Do not store sensitive data in logs or analytics
19. Content Provider: Tips
● Use Content Provider to share data between apps
● If used only by your app, set flag android:exported=false
● If shared apps are only your own apps, set flag
android:protectionLevel=signature
● Prefer to use android:grantUriPermissions over
android:permissions, because if gives more granular and
dynamic access to data
● Use parametrized query methods such as
query/update/delete to avoid potential SQL injections from
untrusted sources
21. Activity/Service/Broadcast Receiver: Tips
● Provide shared access from other apps to only those
activities/services/receivers, which are aimed at it, using
android:exported/intent-filter/permission attributes
23. Binary Protection: Tips
● Use native code obfuscators:
○ Proguard
○ Dexguard
○ In case of hybrid app (Xamarin), use corresponding
obfuscators also
● Use SafetyNet API from Google:
○ Attestation API - check if device environment is safe and
app has not been modified
○ Verify Apps API - check if device contains potentially
harmful apps
25. Redundant functionality: Tips
● Remove debug flag from Application manifest
● Remove internal functionality
● Remove all hardcoded/test passwords
● Remove all test and non-production ready endpoints
● Verify that log messages do not expose application flow and
critical info
https://stackoverflow.com/questions/9986734/which-android-data-storage-technique-to-use
Shared preferences are good for storing ... an application's preferences, and other small bits of data. It's a just really simple persistent string key store for a few data types: boolean, float, int, long and string. So for instance if my app had a login, I might consider storing the session key as string within SharedPreferences.
SQLite databases are great whenever you are going to use a lot of structured data and a relatively rigid schema for managing it. Put in layman's terms, SQLite is like MySQL or PostgreSQL except instead of the database acting as a server daemon which then takes queries from the CGI scripts like php, it is simply stored in a .db file, and accessed and queried through a simple library within the application. While SQLite cannot scale nearly as big as the dedicated databases, it is very quick and convenient for smaller applications, like Android apps. I would use an SQLite db if I were making an app for aggregating and downloading recipes, since that kind of data is relatively structured and a database would allow for it to scale well. Databases are nice because writing all of your data to a file, then parsing it back in your own proprietary format it no fun. Then again, storing data in XML or JSON wouldn't be so bad.
https://stackoverflow.com/questions/9986734/which-android-data-storage-technique-to-use
Internal storage is good for storing application data that the user doesn't need access to, because the user cannot easily access internal storage. Possibly good for caching, logs, other things. Anything that only the app intends to Create Read Update or Delete.
External storage. Great for the opposite of what I just said. The dropbox app probably uses external storage to store the user's dropbox folder, so that the user has easy access to these files outside the dropbox application, for instance, using the file manager.
What is KeyStore?
https://developer.android.com/training/articles/keystore.html
Attestation API provides services for determining whether a device running your app satisfies Android compatibility tests.
Verify Apps API allows your app to protecting the device against potentially harmful apps.