How do you secure your android apps in 2025? | Security Best Practices Tips and Tricks

byBolt UIX 2 min read
1

Exploring Pen Testing for Android App Security

Explore the world of pen testing with tools like MobSF, Burp Suite, adb, and drozer. Strengthen your Android apps against threats using proven best practices. 

How to get started:

  • Install tools like MobSF for mobile app analysis.
  • Use Burp Suite for web-related security testing.
  • Leverage adb for device interactions and drozer for app testing.

Key Tools for Pen Testing

  • MobSF 📱: Helps test the security of mobile apps (Android and iOS).
  • Burp Suite 🌐: Tests web application security.
  • adb (Android Debug Bridge) 📲: Interacts with Android devices from a computer.
  • drozer 🛠️: For testing Android apps and devices.

Security Best Practices

Ensure your Android app stands strong against modern threats with these simple yet powerful security strategies. From safeguarding sensitive data to fortifying network communications, each step is a vital layer of defense. Keep your users safe and your app secure with these proven practices. 🛡️

Code Obfuscation

Code obfuscation is like a protective shield for our app. It's there to keep our app safe and our hard work secure. Without it, our app could be at risk in several ways. Never ship a production app without enabling Proguard/R8.
  • Enable shrinking, obfuscation, and optimization.
// In build.gradle
android {
    buildTypes {
        release {
            minifyEnabled true
            shrinkResources true
            proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
        }
    }
}

Figure 1. Enabling code obfuscation in Gradle.

Safeguarding API Keys

The purpose of safeguarding API keys in apps is to protect sensitive data, such as API keys, from unauthorized access and misuse. It's crucial to ensure the security of these keys to prevent potential breaches and data theft (e.g., Payment key, Google API key, etc).

  • Securing API Keys using Android NDK.
// Example: Hide key in NDK
external fun getApiKey(): String
init {
    System.loadLibrary("native-lib")
}

Securing Your Google API Key

Extra Security: Adding our SHA-1 fingerprint is like putting another lock on the door, making it very hard for others to misuse our key. Also, limiting what our key can access in Google keeps our app more secure and private. Restrict Google API key access.

  • The main goal here is to protect our Google API key.

Secure Your Logs

When you print logs, like service URLs, response data, usernames, and crashes, they can be seen by anyone who has access to your app's logs. This can expose sensitive information, and if misused, it could become a nightmare for you. Make sure to remove or obfuscate sensitive logs before releasing your app.

  • Secure Your Logs: Protecting Sensitive Data in Release Builds.
// In build.gradle
android {
    buildTypes {
        release {
            debuggable false
        }
    }
}

Beware Rooted Devices

Many apps have an in-app payment or making critical tasks never do this kind of tasks on a rooted device. Automatically disable these features on a rooted device. Because the rooted device can change your code at runtime and alter the behavior of it. Don’t process payments on rooted devices. Or just warn users clearly instead of blocking.

  • Some people may not be aware they're using rooted devices; they may be hacked, so give a warning message for user safety.
// Check for root
fun isRooted(): Boolean {
    // Implementation to detect root
    return false // Placeholder
}
if (isRooted()) {
    // Show warning or disable features
}

Stay Updated: Keep Your App's Dependencies Current

It's essential to stay up to date because outdated library versions might have security flaws that are fixed in newer releases. We don't want our app to become a haven for security issues, right?

Caution with WebView JavaScript

Be mindful when using WebView to load HTML content or web pages. It can bring common web security issues, like cross-site scripting, into your app. It's crucial not to enable JavaScript interface support unless you fully control and trust the content within your app's WebView.

  • If you don't, it can open doors to potential security problems.
// Secure WebView
webView.settings.javaScriptEnabled = false // Disable unless trusted

Preventing SQL Injection Vulnerabilities

When working with SQLite databases on Android, it's crucial to handle user input carefully. If you allow user interaction with the database, always sanitize input or use parameterized queries to prevent SQL injection attacks. Validate User Input.

  • Failing to do so makes your data vulnerable to SQL injection attacks.
// Use parameterized query
db.execSQL("INSERT INTO table (col) VALUES (?)", arrayOf(userInput))

Encrypt Data on External Storage

When internal storage space is limited, it's often necessary to use external storage to store data, especially media files. However, data on external storage is accessible to users and other apps, so it's crucial to protect it. Popular encryption algorithms – AES with a key size of 256 bits. Encrypt data on External Storage and Check the validity of that data.

Use Internal Storage for Sensitive Data

Every Android app has an internal storage directory associated with it whose path is based on the package name of the app. Files inside this directory are very secure because they use the MODE_PRIVATE file creation mode by default. Store all the sensitive data of your app in the internal storage directory. Securely Storing Sensitive Data in Android Apps.

Protect Service & Content Provider

You are probably using a background service to do any kind of task, for example, downloading something, Process payment, etc also you don’t want other apps to access this service. To prevent that make sure to set the service exported flag to false. Protect your Service and content provider with Permission.

Minimal Permissions for Optimal Functionality

During developing developers tend to put a lot of permissions in the Manifest file thinking that they will use it when they develop their app and after finishing the app they make the release build and forget to remove these permissions. Use as little permissions as possible. Having a lot of permissions for one app is not secure at all.

Avoid Asking for Personal Data

Unless you have a good reason and a very secure infrastructure to collect, store, and transmit personal user information, you must avoid directly asking for it in your apps. You can use service like Firebase Auth to manage that for you. User privacy is one of the most important things nowadays.

Avoid Broadcasting Sensitive Data

But if you use it to process user private data never use a normal Broadcast because other apps can register it and listen to your events. To use LocalBroadcastManager for broadcast data within process/app. Do not pass sensitive information through Broadcast.

// Use LocalBroadcastManager
LocalBroadcastManager.getInstance(context).sendBroadcast(intent)

Use Encrypted Shared Preferences

Security is a very important topic and has to be taken seriously when developing Android applications, especially if sensitive data is stored on the device such as user information or API tokens. Protecting Sensitive Information. Storing sensitive information like user passwords, API tokens.

// EncryptedSharedPreferences
val masterKey = MasterKey.Builder(context).setKeyScheme(MasterKey.KeyScheme.AES256_GCM).build()
val sharedPreferences = EncryptedSharedPreferences.create(context, "prefs", masterKey, EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV, EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM)

HTTPS Everything

Using public Wi-Fi can be risky because some hotspots might be dangerous. If your app uses HTTP on such networks, a bad hotspot can mess with your app's data, causing issues or even adding unwanted ads or exploits. To stay safe, always use HTTPS for your app's internet connections. Ensure Secure Network Communication.

Protect Your Firebase Database

Protect your Firebase database from unauthorized access and manipulation by implementing stringent security rules. A small mistake can ruin your app and your business. You must write Firebase security rules. Actually, with simple curl command, anyone can delete and manipulate your entire database.

Use FCM Instead of SMS

If you are one of those developers who still hasn't made the switch from SMS to FCM, you must know that the SMS protocol is neither encrypted nor safe against spoofing attacks. What's more, an SMS can be read by any app on the user's device that has the READ_SMS permission. FCM is a lot more secure and is the preferred way to push messages to an app. FCM communications are encrypted.

Implement Encoding & Decoding Techniques

Protect sensitive information during data transfer across various components of your app, such as BLE data sending, MQTT sending, and QR code scanning, by implementing robust encoding and decoding techniques instead of passing plain text. Utilize Encoding & Decoding Techniques. Secure Data Transfer: Utilize Encoding & Decoding Techniques.

// Base64 encoding example
val encoded = Base64.encodeToString(data.toByteArray(), Base64.DEFAULT)
4.94 / 169 rates

1 Comments

Post a Comment
Previous Post Next Post