Open in app

Sign in

Write

Sign in

Pandiyan Mani
3 min readAug 18, 2021

--

Regarding App securtiy

Security plays an important role to get the trust of user to use our application from the market.When speaking about security there are some points we need to keep in mind while developing

1.Use implicit intents

If you want to transfer data between other application then by using implict intent list out all the data transfer app available for user from your system so that the user pick the app he trust more

Intent intent = new Intent(Intent.ACTION_SEND);
                List<ResolveInfo> possibleActivitiesList = getPackageManager()
                        .queryIntentActivities(intent, PackageManager.MATCH_ALL);

// Verify that an activity in at least two apps on the user's device
// can handle the intent. Otherwise, start the intent only if an app
// on the user's device can handle the intent.
                if (possibleActivitiesList.size() > 1) {

                    // Create intent to show chooser.
                    // Title is something similar to "Share this photo with".

                    String title = getResources().getString(R.string.chooser_title);
                    Intent chooser = Intent.createChooser(intent, title);
                    startActivity(chooser);
                } else if (intent.resolveActivity(getPackageManager()) != null) {
                    startActivity(intent);
                }

2.Apply signature-based permissions

if your communiction is between two application that you own then you can decalre protection level signature under permission tag so the app accessing the data will check weather the app is signed with same signing key.

<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.example.myapp">
<permission android:name="my_custom_permission_name"
            android:protectionLevel="signature" />

3.Ask for credentials before showing sensitive information

if you request user creditinals for showing sensitive information then before you should ask them Pin or pattern in order to conform there identity.

4.Disallow access to your app’s content providers

By making exported false under provider tag

<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.example.myapp">
    <application ... >
        <provider
                android:name="android.support.v4.content.FileProvider"
                android:authorities="com.example.myapp.fileprovider"
            ...
                android:exported="false">
            <!-- Place child elements of <provider> here. -->
        </provider>
        ...
    </application>
</manifest>

5.Proper access to webview

Load only trusted content on your webview dont allow user to navigate to other content on webview out of your control.

6.Add network security config

Specify all domain that should use http by disabling clear-text.

android:networkSecurityConfig="@xml/network_security_config"

Add an XML resource file, located at res/xml/network_security_config.xml

<network-security-config>
    <domain-config cleartextTrafficPermitted="false">
        <domain includeSubdomains="true">secure.example.com</domain>
        ...
    </domain-config>
</network-security-config>

7.Access limited permsission from user get permission from other app if its already granted with permission

Whenever possible, don’t add a permission to your app to complete an action that could be completed in another app. Instead, use an intent to defer the request to a different app that already has the necessary permission.

The following example shows how to use an intent to direct users to a contacts app instead of requesting the READ_CONTACTS and WRITE_CONTACTS permissions:


Intent insertContactIntent = new Intent(Intent.ACTION_INSERT);
insertContactIntent.setType(ContactsContract.Contacts.CONTENT_TYPE);

// Make sure that the user has a contacts app installed on their device.
if (insertContactIntent.resolveActivity(getPackageManager()) != null) {
    startActivity(insertContactIntent);
}

8.Store private data within internal storage

So it cann’t be accessed by other app and the information will get deleted as the app uninstall.

9.Store only non-sensitive data in cache files

if you contain any non sensitive information then store it on cache for fast access.

File cacheDir = getCacheDir();
File fileToCache = new File(myDownloadedFileUri);
String fileToCacheName = fileToCache.getName();
File cacheFile = new File(cacheDir.getPath(), fileToCacheName);

10.Use SharedPreferences in private mode

When using getSharedPreferences() to create or access your app's SharedPreferences objects, use MODE_PRIVATE. That way, only your app can access the information within the shared preferences file

11.Keep services and dependencies up-to-date

Most apps use external libraries and device system information to complete specialized tasks. By keeping your app’s dependencies up to date, you make these points of communication more secure.

Security

--

--

Pandiyan Mani

Written by Pandiyan Mani

83 Followers

Knowledge is everything.Check out my app at https://play.google.com/store/apps/details?id=com.tutorspot.com

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams