There might arise a number of problems when starting a new Android app from the ground up. The last thing any Android app developer wants is to fail because of a serious security breach. However, with a security strategy and proper planning it won't happen. It’s important to understand that the application can be attacked not only by a third party, but also by users themselves. And every developer should take all this into account. In this article we will explain what types of attacks on mobile apps exist and how to protect the system.
Most attacks can be divided into three types:
Physical or remote access to the victim's device. The main purpose of this type of attack is to gain access to the file system. If the app stores identification data or other confidential information in clear form, it’ll be easy for an attacker to obtain this information. For remote access, for example, malicious software is used. This software allows getting remote access to the device, which leads to a complete compromise of the device.
Man-in-the-middle attack (MitM). During the attack, data is intercepted between the client device and the server. To do this, it’s necessary to be in the same network with the victim, for example, in a public Wi-Fi network, or use fake wireless access points. To attack the app, a hacker finds any vulnerability, namely, incorrect work with transmitted data encryption or complete lack of data encryption. As a result, an attacker can receive and replace the transmitted data.
Reverse Engineering. In this case, the application itself is the victim, namely its .apk file. During the attack, the hacker decompiles the .apk file and analyzes it.
The security of an Android mobile application is a whole set of measures, including the application architecture, continuous monitoring of its operation and regular modifications and updating.
For each type of attack there are different ways of app protection. Thus, to protect your Android device against direct physical access, you need to use the cryptographic capabilities of the device, encrypt data and, if necessary, remotely clear this information. Also, it’s necessary to continuously monitor the security of the application, which will help to identify all possible vulnerabilities.
To cope with a MitM attack, it’s vital to have the cryptographic protocol SSL implemented to ensure safe data transfer. It’s also recommended that the user should only trust the SSL server certificate while connecting to the server.
It’s difficult to prevent reverse engineering, so the protection strategy here is to maximize the complexity of decompiled code analysis.
Android has built-in security mechanisms that significantly reduce the risk of hacking and possible damage that it causes. The system is designed in such a way that you can easily create your apps with predefined sets of access rights to the system and files, thus not spending much time making complex decisions about the security of the system. It is important to know and correctly apply the possibilities provided by the Android framework in practice. The key security features that underpin the Android framework are:
Don’t rely on the security capabilities of the Android framework only. To protect the app, developers should foresee all the possible vulnerabilities. Here are several tips on how to do it.
Security tests. A developer that faces security questions for the first time may find it difficult to find a vulnerability because it’s not entirely clear what and where to search. In addition to cold theory and a set of rules and recommendations, it’s often useful to look at the situations where these rules are violated and what problems may arise. There are also plenty of frameworks, systems and libraries for automatic testing of mobile application security.
Support for different SDK versions. Obviously, you can’t (and shouldn’t) force users to constantly update their devices. However, you should pay special attention to those versions of the system that you are going to support in your app, indicating the minimum supported version of the SDK (minSdkVersion). As to security, this means that a developer creates an app in which the user's data will be protected in all the versions that this app supports. Sometimes you should consider upgrading the minSdkVersion version to prevent a situation when old, less secure versions of Android leak user data. Such a situation lowers the confidence of users on newer versions of Android.
Data storage. The data stored on the device should be encrypted. But it’s not recommended to use self-written encryption algorithms for this purpose. Any deviation from the existing mathematically proven encryption algorithms in 99% of cases turns into a rapid hacking.
Ensuring that all users' data are secure can help to enhance trust and attract more customers. With a robust mobile security strategy and a top mobile developer that responds quickly to bugs and threats, the app will easily fend off all the attacks. We put much attention to the development of robust and high functioning Android solutions and focus primarily on their security. Contact us if you are ready to build a secure Android mobile app with EffectiveSoft.
August 27, 2018