Best way to secure Android app sensitive Data?

by

Storing sensitive data on the device

That depends very much on your audience. Normally, the Android OS prohibits apps from accessing each other’s files (i.e. databases, preference files, regular files stored in the app’s private directory) through proven Linux file permissions. However, on rooted devices an application can obtain root access and read everything. A few things to think about:

  1. If you know your users won’t have root (e.g. if you are not distributing the app through Android Market, but only in your company, or something like that), you can simply rely on Android’s filesystem-based security.
  2. If a user does get root access, he will be very careful what application he gives that priviledge to
  3. If an app does get root access, it can wreak a lot of havoc. The information in your app could be the least of the user’s worries.
  4. Rooting leads to zero warranty. Including in apps. You can’t be held responsible for leaking information on a rooted phone.

To conclude, if your information is not super-duper sensitive (e.g. credit card information), I’d suggest just sticking with the default security provided by Android (i.e. save everything in plain text, knowing other apps can’t access it).

Otherwise, encryption is the way to go. It’s not 100% secure (a hacker could de-compile your app and figure out how to decrypt the data), but it’s a major pain to crack and will stop most hackers. Especially if you obfuscate your code with something like ProGuard.

Transferring sensitive data from the server to the device

You have a few options here. First of all, always use HTTPS. After enabling HTTPS, here are two extra security measures I would propose:

  1. Use an API key system. Include this API key in all your requests and check it on the server side before sending any response back. Remember that since you’re using HTTPS, an attacker would not be able to just use a network sniffer to find out your API key. However, this is pretty easy to figure out if someone decompiles your app, which is why you can obfuscate it even further (besides using ProGuard). For example, you can keep the API key broken up into pieces all around your code (for example as static members in two or three classes). Then, when you send a request, you just concatenate all those pieces. You can even apply some other sort of transformation (e.g. bit shifting) to make it even harder to figure out from the decompiled code.
  2. You can generate a key every time you send a request. That key would be generated by using a bit of logic that only you know, so that you can implement it client- and server-side as well. For example, a request could include the following parameters:
    time=1321802432&key=[generated-key]
    where generated-key is generated from the time parameter. For example: md5(time + salt). When the server receives this request, it can do two things:

    1. Check that key is indeed equal to md5(time + salt) (note that only the client and the server know the salt and it can be obfuscated similarly to the API key above), and
    2. Check that time is not too far back in the past (e.g. if it’s more than 1-2 minutes in the past, consider the request invalid).

The second method is more useful if you are also doing plain HTTP requests, where everyone can see the parameters being sent. Also, it’s much harder to figure out from decompiled code. Especially if you spread the key calculation logic across multiple classes.

However, note that nothing makes it impossible to crack your app. You can obfuscate as much as you want, if a hacker is really determined to get to your data, he will be able to so by decompiling your application and spending many sleepless nights passing through your code and figuring out how the requests are formed. The only real way of securing your data is by asking your user for a password, besides doing all the work I wrote about above. You can’t get a password that only exists in someone’s (the user) head from decompiled code :).

More Related Contents:

  1. How to avoid reverse engineering of an APK file
  2. How do I prevent Android taking a screenshot when my app goes to the background?
  3. How to prevent Screen Capture in Android
  4. How to encrypt and decrypt file in Android?
  5. How permission can be checked at runtime without throwing SecurityException?
  6. Android SharedPreference security
  7. Restrict API requests to only my own mobile app
  8. How to securely store credentials (password) in Android application?
  9. android: Determine security type of wifi networks in range (without connecting to them)
  10. How to securely store access token and secret in Android?
  11. How to Secure Android Shared Preferences?
  12. How to keep the OAuth consumer secret safe, and how to react when it’s compromised?
  13. How to secure my app against piracy
  14. How to enable AutoStart option for my App in Xiaomi phone Security App programmatically in android
  15. How to prevent NFC tag cloning?
  16. Google Play security alert for insecure TrustManager
  17. How to use an API from my mobile app without someone stealing the token
  18. How to manage installation from Unknown Sources in Android Oreo?
  19. Listen to volume buttons in background service?
  20. Add and Remove Views in Android Dynamically?
  21. Intent action for network events in android sdk
  22. RecyclerView GridLayoutManager: how to auto-detect span count?
  23. android font size of tabs
  24. HAX kernel module is not installed
  25. Choosing photo using new Google Photos app is broken
  26. How to enable cookies in android webview?
  27. How can I download a video file to SD card?
  28. How to create a view that is bigger than the screen?
  29. How to make the textview blinking
  30. How to layer views

Leave a Comment