Secure android app because it's security matter

Published Sep 20, 2017Last updated Sep 26, 2017

enter image description here

Hi, I am Android Developer in Redcarpetup.com RedCarpet is a FinTech company that does instant credit scoring and enables purchase financing using advanced AI. We look at hundreds of variables, much beyond traditional credit models.
Using the RedCarpet App, consumers can get instant credit for shopping online - be it product purchase, travel, bill payments, entertainment etc.

Because of we are a Fintech company so we are very careful about our app security. and we work with a security company AppKonx to solve security problems in app.

Shared Preferences

Most of android developer prefer Shared Preferences to store plane text data but Shared Preferences are accessible to anybody if your device is compromised. It is recommended to obscure the information saved in Shared Preferences before you store them. One of the solutions is to encrypt the information. Still the key that is used for encryption can be recovered by a simple decomposition procedure if it is hard-coded in the app.
There are various open source android library that provide Shared Preferences encryption, but i prefer secure-preferences library for Shared Preference security this is very easy to use.
you need to add dependency in app build.gradle

dependencies {
    compile 'com.scottyab:secure-preferences-lib:0.1.4'
}

This will use the default shared pref file and You can define a separate file for encrypted preferences.

SharedPreferences prefs = new SecurePreferences(context, "userpassword", "my_user_prefs.xml");

Using a password that the user types in that isn't stored elsewhere in the app passed to the SecurePreferences constructor means the key is generated at runtime and not stored in the backing pref file.

<map>
    <string name="TuwbBU0IrAyL9znGBJ87uEi7pW0FwYwX8SZiiKnD2VZ7">
        pD2UhS2K2MNjWm8KzpFrag==:MWm7NgaEhvaxAvA9wASUl0HUHCVBWkn3c2T1WoSAE/g=rroijgeWEGRDFSS/hg
    </string>
    <string name="8lqCQqn73Uo84Rj">k73tlfVNYsPshll19ztma7U">
        pD2UhS2K2MNjWm8KzpFrag==:MWm7NgaEhvaxAvA9wASUl0HUHCVBWkn3c2T1WoSAE/g=:jWm8KzUl0HUHCVBWkn3c2T1WoSAE/g=
    </string>
</map>

One time password bypass

Most of app user OTP Authentication for login but any attacker can bypass if OTP process is not fully secure, here some tip for secure OTP process

1.Never send OTP in request or response when it is generated
2.OTP should be generated from server-side only
3.OTP should not be authenticated based on "custom response code" or "custom response messages"
4.Always limit OTP authentication attempts 5 or 10
5.Use a minimum of 6 digit OTP
6.An OTP should get expired once a new one is requested
7.OTP expiry time should set to a maximum of 3-5 min
8.OTP should be generated randomly when requested again

Intent and Intent Services

Intent and Intent services is most commonly user functionality of android
Intent is an abstract description of an operation to be performed. It can be used with startActivity to launch an Activity, broadcastIntent to send it to any interested Broadcast Receiver components, and startService(Intent) or bind Service(Intent, ServiceConnection, int) to communicate with a background Service.
basically two type of intent in android

Implicit Intents
These intents do not name a target and the field for the component name is left blank. Implicit intents are often used to activate components in other applications.

Intent read1=new Intent();
read1.setAction(android.content.Intent.ACTION_VIEW);
read1.setData(ContactsContract.Contacts.CONTENT_URI);
startActivity(read1);

In implicit intent no target is defined so any attacker easily intercept your intent and get all data.

Explicit Intents
These intents designate the target component by its name and they are typically used for application-internal messages - such as an activity starting a subordinate service or launching a sister activity.

  // Explicit Intent by specifying its class name
Intent i = new Intent(FirstActivity.this, SecondActivity.class);

// Starts TargetActivity
startActivity(i);

In explicit intent target component is defined so this is impossible to intercept intent.

So always try to use Explicit intent and you can specify the package in Intent.

Intent intent = new Intent(Intent.ACTION_SEND);
intent.setPackage("com.example.test");
sendBroadcast(intent);

Network Security

Almost all android apps use network for transferring data between mobile and server so this is very important to secure network so hacker can not intercept data.
One of the most popular network attacks is Man-In-The-Middle (MITM). It can be passive or active.To avoid this attack follow these networking security best practices:

  • Minimize the amount of sensitive or personal user data that you
    transmit over the network.
  • Send all network traffic from your app over SSL.
  • Consider creating a network security configuration, which
    allows your app to trust custom CAs or restrict the set of system CAs
    that it trusts for secure communication.

There are some tools that support HTTPS and SSL pinning. Two of them are Retrofit and OkHttp.Retrofit is easy to use, it supports RxJava, and it doesn’t take much time to configure it.

Database Security

In nowadays almost all app use sqlite Database for storing data in
local storage. so this is very important to secure database.A typical SQLite database in unencrypted, and visually parseable even as encoded text.
to secure mobile database i prefer SQLCipher to secure sqlite database.

SQLCipher is an SQLite extension that provides transparent 256-bit AES encryption of database files. To date, it has been open-sourced, sponsored and maintained by Zetetic LLC. In the mobile space, SQLCipher has enjoyed widespread use in Apple’s iOS, as well as Nokia / QT for quite some time. Given that Android by default provides integrated support for SQLite databases, our goal was to create an almost identical API for SQLCipher, so that developers of all skill level could use it, without a steep learning curve.

SQLCipher is very easy to use.add SQLCipher into their app with the following three steps:

  • Add a single sqlcipher.jar and a few .so’s to the application libs directory
  • Update the import path from android.database.sqlite.* to net.sqlcipher.database.* in any source files that reference it. The original android.database.Cursor can still be used unchanged.
  • Init the database in onCreate() and pass a variable argument to the open database method with a password
   SQLiteDatabase.loadLibs(this); //first init the db libraries with the context
     SQLiteOpenHelper.getWritableDatabase("thisismysecret"):

AppLock

In nowadays mostly all eCommerce apps using wallet and save Credit/Debit cards in app for future payment so there are more chance to anybody use your phone and misuse your money, in Redcarpet you can order anything using App. To resolve this issue we write our own library AppLocker is a library for protect app with four digit pin.
This library allows you to implement a pin lock mechanism in your app easily.
Once enabled a four-digit passcode needs to be entered any time your mobile app is launched. This way your app is safe even if your smartphone or tablet falls into the wrong hands.
AppLocker is very easy to implement

  • Add it to your build.gradle with:
allprojects {
    repositories {
        maven { url "https://jitpack.io" }
    }
}


dependencies {
    compile 'com.github.balrampandey19:AppLocaker:1.0.1'
}
  • Initilize app loger in App Application class.

AppLocker.getInstance().enableAppLock(this);

  • Extend LockActivity in all app activity as base activity.

public class MainActivity extends LockActivity {

@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
}

}

Discover and read more posts from Balram Pandey
get started