Safe Coding for Android Apps

veracode.pngVeracode’s new Are Your Practicing Safe Coding infographic has a section on Android specific vulnerabilities. As it happens, this ties in well with enquiries from a client of mine who has been asking about the security of Android apps.

evenyourandroidarntsafe.png 

The infographic talks of information leakage and cryptographic flaws. What are these in terms of Android?

Information leakage is when sensitive information, for example username/password, are unwittingly exposed. In Android, this can most often happen…

  • When sending information to the server via http rather than https
  • When storing information unencrypted in SharedPreferences or SQLite database
  • When writing out debug trace information to logcat
  • When giving the user an error message that inadvertantly includes sensitive information
Cryptographic flaws occur when…
  • Keys are created using pseudorandom number generators that aren’t really that random and can be easily brute force attacked by hackers
  • Keys are hard-coded. Remember, Java is extremely easy to reverse-engineer!
All Android developers should consider these things but, as the Veracode study showed, there’s a high percentage of insecure apps out there. If you are a developer at fault, clean up your act. If you are commissioning an app, think carefully about finding a reputable mobile developer.