Veracode’s new Are Your Practicing Safe Coding infographic has a section on Android specific vulnerabilities. As it happens, this ties in well with enquiries from a client of mine who has been asking about the security of Android apps.
The infographic talks of information leakage and cryptographic flaws. What are these in terms of Android?
Information leakage is when sensitive information, for example username/password, are unwittingly exposed. In Android, this can most often happen…
- When sending information to the server via http rather than https
- When storing information unencrypted in SharedPreferences or SQLite database
- When writing out debug trace information to logcat
- When giving the user an error message that inadvertantly includes sensitive information
- Keys are created using pseudorandom number generators that aren’t really that random and can be easily brute force attacked by hackers
- Keys are hard-coded. Remember, Java is extremely easy to reverse-engineer!