10/28/2014 Simple tips to secure Android app | Java Code Geeks

http://www.javacodegeeks.com/2014/05/simple-tips-to-secure-android-app.html 1/3
Search this site...
You are here: Home Android Core Simple tips to secure Android app
About Ketan Parmar
Ketan Parmar (aka KPBird) is software engineer with 7 years experience, He is passionate about Java
(SE,EE,ME),Android,BlackBerry, Grid Computing, Big Data, UI/UX and Open Source
Src: http://www.oneclickroot.com/wp-
content/uploads/2012/10/Android-security.jpg
Simple tips to secure Android app
by Ketan Parmar on May 26th, 2014 | Filed in: Android Core
Android has security features built into the operating system that significantly reduce
the frequency and impact of application security issues but as application developer,
its our job to secure application. The level of security is depends upon application
type & domain. There are few security aspects we need not forget. I am collecting
those common tips in this article.
Here, I list down most common things that developers should take care to protect the
application.
1. Do not store private or sensitive data on SDCard. To store file on internal
storage, use following methods with private mode (Context.MODE_PRIVATE)
openFileOutput & openFileInput. If you really wants to store data in sdcard then
encrypt it. You will find many encryption libraries. I prefer conceal from facebook.
2. Restrict ContentProvider using exported flag set as false. Its not the case that every time we develop ContentProvider for data
exchange between applications but ContentProvider can be developed for single application or private.
3. Restrict WebView to access local data. HTML5 and related technologies have become popular to develop Mobile Web App app or
Hybrid app. For Hybrid uses WebView to display content from locally store HTML or fetch HTML and other content from the server.
Major security concerns for WebView are setAllowFileAccess() and setAllowContentAccess() methods.
4. Do not pass sensitive information through Broadcast & Intent. Use LocalBroadcastManager for broadcast data within process / app.
LocalBroadcastManager is available in Support Library V4.
5. Dont print sensitive information in LogCat. Information like username, password, web service URL, request or response, etc detail.
6. Remove unnecessary Log before publishing app.
7. Dont process malicious Intents. Before process Intent received in onReceive method of BroadcastReceiver, validate callers
package name, action and other information.
8. Protect your Service with Permission. Use exposed flag as false When Service is developed for your app only.
9. Restrict access to Activities. If the activity is intended solely for the internal use of the app then use exported flag set as false.
10. Make sure that debug mode is false before publish APK.
11. Encrypt sensitive data even if you store in internal storage.
12. For cross app functionality, validate calling application before response.
13. Properly verify server certificate TLS/SSL for HTTPS web call.
14. Use NDK whenever you feel that information is not safe in Java code because It can decompile easily. i.e. Constant.
15. Use ProGuard that shrinks, optimizes, and obfuscates your code.
16. Remove unwanted / unused <user-permission> from AndroidManifest.xml
17. Loading classes.dex outside of application is major security risk. DexClassLoader allowed developer to load classes.dex on
demand.
Resource: http://developer.android.com/training/articles/security-tips.html
Reference: Simple tips to secure Android app from our JCG partner Ketan Parmar at the KP Bird blog.
Newsletter
45577 insiders are already enjoying weekly
updates and complimentary whitepapers!
Join them now to gain exclusive access
to the latest news in the Java world, as well as
insights about Android, Scala, Groovy and other
related technologies.
Email address:
Your email address
Sign up
Join Us
With 819,138
unique visitors and over
authors we are placed among
the top Java related sites
around. Constantly being on
the lookout for partners; we
encourage you to join us. So
If you have a blog with unique and interesting
content then you should check out our
partners program. You can also be a
for Java Code Geeks and hone your writing skills!
Carrer Opportunities
Tags
Akka Apache Camel Apache Hadoop
Apache Maven Apache Tomcat
Cloud Concurrency
Design Patterns Eclipse
Gradle Grails IDE Java 7 Java 8
JavaFX JAXB JBoss Hibernate
JSF JSON JUnit JVM
1 <provider android:exported="false" android:name="MyContentProvider" android:authorities="com.example.mycontentprovider" />
1 <activity android:name=".view.MyActivity" android:exported="false"> </activity>
Director of Engineering ( FULL-TIME )
25th, 2014
Senior Application Developer ( FULL-TIME )
October 24th, 2014
Programmer III-IV ( FULL-TIME )
2014
Director of Engineering ( FULL-TIME )
24th, 2014
Machine Learning Principal Architect Job ( FULL-
TIME ) October 24th, 2014
Home Tutorials Join Us About Resources Examples Job Board Whitepapers Academy
Java Android JVM Languages Software Development Agile DevOps Communications Career Misc Meta JCG
10/28/2014 Simple tips to secure Android app | Java Code Geeks
http://www.javacodegeeks.com/2014/05/simple-tips-to-secure-android-app.html 2/3
June 8th, 2014 at 8:58 am
June 9th, 2014 at 4:56 pm
June 12th, 2014 at 8:24 pm
Do you want to know how to develop your skillset to become a Java Rockstar?
Subscribe to our newsletter to start Rocking right now!
To get you started we give you two of our best selling eBooks for FREE!
JPA Mini Book
Learn how to leverage the power of JPA in order to create robust and flexible Java applications.
With this Mini Book, you will get introduced to JPA and smoothly transition to more advanced
concepts.
JVM Troubleshooting Guide
The Java virtual machine is really the foundation of any Java EE platform. Learn how to master it
with this advanced guide!
Email address:
Your email address
Sign up!
3 Responses to "Simple tips to secure Android app"
george
any examples of ndk and constant ?
Reply
kpbird
hello george,
Yes, I do have example, I will upload example in github.com
Regards
KPBird
Reply
george
it would be great, many thanks
Reply
MongoDB News NoSQL
Play Framework Project Management
RESTful Web Services
Spring Spring Data Spring MVC
Spring Security SQL Testing
Leave a Reply
Name (Required)
Mail (will not be published) (Required)
Website
10/28/2014 Simple tips to secure Android app | Java Code Geeks
http://www.javacodegeeks.com/2014/05/simple-tips-to-secure-android-app.html 3/3
Knowledge Base Partners
The Code Geeks Network
Hall Of Fame About Java Code Geeks
JCGs (Java Code Geeks) is an independent online community focused on
creating the ultimate Java to Java developers resource center; targeted at the
technical architect, technical team lead (senior developer), project manager and
junior developers alike. JCGs serve the Java, SOA, Agile and Telecom
communities with daily news written by domain experts, articles, tutorials,
reviews, announcements, code snippets and open source projects.
Java Code Geeks and all content copyright 2010-2014, Exelixis Media Ltd | Terms of Use | Privacy Policy | Contact
All trademarks and registered trademarks appearing on Java Code Geeks are the property of their respective owners.
Java is a trademark or registered trademark of Oracle Corporation in the United States and other countries.
Java Code Geeks is not connected to Oracle Corporation and is not sponsored by Oracle Corporation.
7 = two
Notify me of followup comments via e-mail. You can also subscribe without commenting.
Sign me up for the newsletter!
Submit Comment
Academy
Examples
Resources
Tutorials
Whitepapers
Mkyong
Java Code Geeks
.NET Code Geeks
Web Code Geeks
Android Full Application Tutorial series
GWT 2 Spring 3 JPA 2 Hibernate 3.5 Tutorial
Android Game Development Tutorials
Android Google Maps Tutorial
Android Location Based Services Application
GPS location
Funny Source Code Comments
Java Best Practices Vector vs ArrayList vs
HashSet
Android JSON Parsing with Gson Tutorial
Android Quick Preferences Tutorial