Ultimate Android Security Checklist While Launching Your Android App

Today, it is not uncommon to hear of a new mobile app every single day. Consumers seek quick and immediate access to information when they want, wherever their location may be. That has rather forced businesses to adopt a mobile strategy, something that was hardly necessary a few years ago.

So, how do you go about building a mobile app? Well, you have a great idea, you hire a mobile app development company or hire a freelancer or ask your friend. Pretty soon you have your app on the app store but it flops!

This story is not uncommon. In fact, we get this story at least once every week. And this happens to large businesses as well as startups, funded or otherwise. In most cases, the reason behind this is that they didn't test their mobile app for most of the things that are very 'essential'. And our mobile app security checklist will cover these 'essential' steps to not just build a secure app, but to make it compliant with global security standards.

As you build your app and work on your mobile strategy, it is essential to test your application across various parameters - Performance, Usability, Functionality, Compatibility, Load, Security, etc. Since time to market is essential, most businesses often neglect the security testing part. Ensuring the safety of the information if your customers and your business are very crucial. 

Android application security testing checklist:

1. Use the Android Application Sandbox, which isolates your app data and code execution from other apps.

2. Use an encrypted filesystem that can be enabled to protect data on lost or stolen devices.

3. Ensure that the registration and activation process is robust.

4. Minimize the number of permissions that your app requests.

5. Have Application-defined permissions to control application data on a per-app basis.

6. Have user-granted permissions to restrict access to system features and user data.

7. Do not store sensitive information on external storage, such as SD Cards. These are globally readable and writable.

8. Apply caution using network transactions as these are inherently risky for security because it involves transmitting data that is potentially private to the user.

9. Perform strong input validations. Insufficient input validation is one of the most common security problems affecting applications, regardless of what platform they run on.

10. If you are using native code, then any data read from files, received over the network, or received from an IPC has the potential to introduce a security issue. Android provides a number of technologies like ASLR and DEP that reduce the exploitability of these errors, but they do not solve the underlying problem. You can prevent these vulnerabilities by careful handling pointers and managing buffers.

11. If you are using data within queries that are submitted to an SQL database or a content provider, SQL injection may be an issue. The best defense is to use parameterized queries.

12. Apply caution in using WebView because WebView consumes web content that can include HTML and JavaScript, improper use can introduce common web security issues such as cross-site-scripting (JavaScript injection)

13. Minimize the frequency of asking for user credentials—to make phishing attacks more conspicuous, and less likely to be successful. Instead, use an authorization token and refresh it.

14. In addition to providing data isolation, supporting full-filesystem encryption, and providing secure communications channels, Android provides a wide array of algorithms for protecting data using cryptography.

15. Some apps attempt to implement IPC using traditional Linux techniques such as network sockets and shared files. We strongly encourage you to instead use Android system functionality for IPC such as Intent, Binder or Messenger with a Service, and BroadcastReceiver.

16. Intents are the preferred mechanism for asynchronous IPC in Android. Depending on your application requirements, you might use sendBroadcast(), sendOrderedBroadcast(), or an explicit intent to a specific application component.

17. Using Binder or Messenger is the preferred mechanism for RPC-style IPC in Android. They provide a well-defined interface that enables mutual authentication of the endpoints if required.

18. Do not load code from outside of your application APK. Doing so significantly increases the likelihood of application compromise due to code injection or code tampering.

19. Maintain security of the backend APIs (services) and the platform (server).

20. Ensure secure distribution and provisioning of mobile applications.

21. Use encrypted communications between clients and servers through properly configured SSL.

While this list can go on, the above are some checks that are essential. It might be a challenge fixing everything at once, but you should keep revisiting this list till you've checked each one off. The above checklist is curated specially for android applications and you can find a similar checklist for iOS applications here.

Security testing tools, like Appknox, can be very helpful as a good starting point. Even the automated test can give you a quick glimpse of where you stand in terms of security. You can get access to a prioritized list of issues to look at, something that is essential for your business currently.

MUST READ: The Ultimate Guide To OWASP Security Checks for Web and Mobile Apps

Published on Nov 2, 2015
Harshit Agarwal
Written by Harshit Agarwal
Harshit Agarwal is the co-founder and CEO of Appknox, a mobile security suite that helps enterprises automate mobile security. Over the last decade, Harshit has worked with 500+ businesses ranging from top financial institutions to Fortune 100 companies, helping them enhance their security measures.
Beyond the tech world, Harshit loves adventure. When he's not busy making sure the digital realm is safe, he's out trekking and exploring new destinations.


Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now