other techniques If possible, run code at server! server String encryption Hide sensitive strings eg “Secure” Native code Java Native Interface reflection Proxy Introduces indirection Class encryption Use DexGuard
local Data protection Avoid it if you can Avoid External storage Avoid external storage for sensitive information For critical info set android:saveEnabled="false" Backup set android:allowBackup=false proper permissions MODE_PRIVATE with files
local Data protection getWindow().setFlags(LayoutParams.FLAG_SECURE, LayoutParams.FLAG_SECURE); avoid screen shots LOGOUT on inactivity if usability allows and clear the cached information
GPS dynamic Security provider Since Google Play Services 5 google play services replacement for the platform’s bundled provider security patches rapid delivery frequently updated by Google
key derivation Long random strings of bits encryption keys people vs keys Users are familiar with passwords Crypto algo PBKDF2WithHmacSHA1 password based encryption Generate strong crypto keys based on humanly-manageable passwords
proper key derivation Using a salt protects from table- assisted / pre-computed dictionary attacks SALT key stretching Repeat the key derivation operation multiple times to produce the final key Slows down brute force attacks
Effective security Using CryptoLint, we performed a study on cryptographic implementations in 11,748 Android applications. Overall we find that 10,327 programs – 88% in total – use cryptography inappropriately. The raw scale of misuse indicates a widespread misunderstanding of how to properly use cryptography in Android development. “ ”
suggested reading Android Security Cookbook Keith Makan / Scott Alexander-Bown (9781782167167) Android Security Internals Nikolay Elenkov (9781593275815) Android Hacker’s Handbook Joshua J. Drake et al. (9781118608647) Application Security for the Android platform Jeff Six (9781449315078)