Some security considerations for Android app development

Original address: http://www.javacodegeeks.com/2014/05/simple-tips-to-secure-android-app.html

Http://developer.android.com/training/articles/security-tips.html

Android already has security features built into the operating system that significantly reduce Application security issues frequency and impact , but as an application developer , we also need to be aware of security issues when developing applications. The security level depends on the type and domain of the application . here are Some of the potential security issues we need to be aware of , I have already collected this article.

here I list some of the most common things you need to protect your application in your development application:

1.do not store private or sensitive data on the SD card. to store files that are stored internally , use the following pattern (context.mode_private)openfileoutput & Openfileinput method . If you really want to store the data in an SD card , then encrypt it use.

2. Limit the use of ContentProvider by identifying exported flag as false, and certainly not necessarily in every application, except to be identified as false without interacting with other applications.

3. restricted webview to access Local data . HTML5 and related technologies have been widely used in Mobile Web applications or Mixed-type (hybird) applications. for hybrid , WebView displays html from Local storage or get HTML and other content from the server . Major security issues for webview are setallowfileaccess() and setallowcontentaccess () method .

4. No sensitive information is transmitted through Broadcastreceiver and Intent . in - process / application using localbroadcastmanager Broadcast data transfer . using localbroadcastmanager requires Supportv4.jar.

5. do not print sensitive information in the Logcat. like the username , password , urlof theWeb service , details such as request or response information .

6. Remove unnecessary log logs before the app goes live

7. do not receive the processing of some malicious forgery Intent. in the onreceive() method of the previous broadcastreceiver method Intentreceived, verify the caller 's package name , action and other information .

8. Add a custom permission to the service. If only your own app is used, you can add exported = False (same as ContentProvider).

9. Restrict access to activity, and add exported = False if only your own apps are used.

10. Make sure that debug mode is false before applying the release.

One by one. for cross- application functionality , the application responds before validating the call .

12. HTTPS-based access can be used for server authentication.

13. When you think that some variables or methods in the Java layer is easy to crack, you can change the corresponding variable to use JNI to get

using the Proguard file to confuse code

15. Remove unnecessary permissions from the from Androidmanifest.xml.

16. Use Dexclassloader to load the Dex file outside of the application with caution.