1.Data Storage
overview |
Mobile apps often need to handle sensitive data related to users or business in certain scenarios (such as user logins), sometimes to meet certain business needs, and to store sensitive data locally, and if the data is not properly processed, there is a risk of a sensitive information leak. |
security guidelines |
a. Sensitive data is always prioritized for storage in the internal space. b. sensitive data, whether stored inside or outside the space, should be encrypted and then stored, avoiding direct plaintext storage. C. avoid storing sensitive data in globally accessible caches, such asLog, shearing plates, etc.). d. sensitive data to avoid hard coding in the code, the common user account password and encryption key and so on. |
Detailed description |
A. can useJDKprovided byJavax.cryptoPackage to add/decryption, note the choice of encryption algorithm and the key complexity policy (see section6Articles and appendices1). B. UseSystem.out.printSeries andAndroid.util.Logmethods of the class (for example,log.d ()logs are stored in the system buffer, and any application canLogcatcommand to view sensitive information in the cache (such as passwords andSessionIDand so on), soReleaseThe version should be removed primarily forDebugthe method. |
Note |
A. Common sensitive data has user passwords, user personal information, andSessionIDand so on, but some are strongly related to the business, and when it is not easy to judge, you can confirm with the security engineer. B. AndroidThe sandbox technology is used to isolate the internal storage space between different applications, but take into account the vulnerabilities of the application itself (such asSQLinjection) andROOTscenarios, it is necessary to encrypt the internal stored data. |
Tip: If IE does not display properly, use the Chrome browser
Mobile app Security Development Guide (Android)--Data storage