It’s an exciting time to be a part of the app economy – But there’s a major point of concern that many app developers are choosing to ignore: mobile app security. A survey of about 400 large enterprises by IBM & Ponemon Institute found 40 percent of respondents aren't taking necessary steps to secure the apps built for customers.
This deck sheds light on some of the basic security measures that app developers must take care of while developing the apps.
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Best Practices in Android Application Security
1. Mobile App Security Meet
For most enterprises and consumers today, mobile and cloud
security are viewed in a pretty straightforward way — don't
assume there is any.
”
Android application best practises
2. Mobile App Security Meet
Mobile first
”The future of mobile is the future of online. It is how people access online content now.
4. Android APK
Mobile App Security Meet
Dex file is one of the most remarkable features of the Dalvik VM (the workhorse
under the Android system) It does not use Java bytecode. Instead, a
homegrown format called DEX
Android programs are compiled into .dex, which are in turn zipped into a single .
apk file on the device
AndroidManifest.xml is a powerful file in the Android platform that allows you to
describe the functionality and requirements of your application to Android
6. Data on Device
Any data stored on the device should be encrypted
SharedPreferences by android stores the
data in plain text
An implementation of SharedPreferences
that encrypts data before storage
8. Data on Device
SQLite Storage in Android
Confidential data should be encrypted
and stored in the tables
9. Mobile App Security Meet
Apps in Device
Broadcast Receivers
Use Permissions to send broadcasts to communicate between
components
Android Permission model
Use android permissions selectively for defining components in the
Manifest file
10. Mobile App Security Meet
Apps in Device
Custom receiver to listen for broadcasting
intents
Sending broadcast
intents from an android component
11. Mobile App Security Meet
Best Practice
Custom receiver to listen for broadcasting
intents
Sending broadcast
intents from an android component
12. Mobile App Security Meet
App to Cloud
● Always communicate over HTTPS
● Implement SSL Pinning
● Gzipping the request and response bodies
13. Mobile App Security Meet
Apps to Cloud
An API call traced by a proxy sitting between
the app and the cloud server
14. Mobile App Security Meet
Best Practice
Gzipping the request body for the API call from the android app
Request body traced by the proxy