Regarding App securtiy
Security plays an important role to get the trust of user to use our application from the market.When speaking about security there are some points we need to keep in mind while developing
1.Use implicit intents
If you want to transfer data between other application then by using implict intent list out all the data transfer app available for user from your system so that the user pick the app he trust more
Intent intent = new Intent(Intent.ACTION_SEND);
List<ResolveInfo> possibleActivitiesList = getPackageManager()
.queryIntentActivities(intent, PackageManager.MATCH_ALL);
// Verify that an activity in at least two apps on the user's device
// can handle the intent. Otherwise, start the intent only if an app
// on the user's device can handle the intent.
if (possibleActivitiesList.size() > 1) {
// Create intent to show chooser.
// Title is something similar to "Share this photo with".
String title = getResources().getString(R.string.chooser_title);
Intent chooser = Intent.createChooser(intent, title);
startActivity(chooser);
} else if (intent.resolveActivity(getPackageManager()) != null) {
startActivity(intent);
}
2.Apply signature-based permissions
if your communiction is between two application that you own then you can decalre protection level signature under permission tag so the app accessing the data will check weather the app is signed with same signing key.
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.example.myapp">
<permission android:name="my_custom_permission_name"
android:protectionLevel="signature" />
3.Ask for credentials before showing sensitive information
if you request user creditinals for showing sensitive information then before you should ask them Pin or pattern in order to conform there identity.
4.Disallow access to your app’s content providers
By making exported false under provider tag
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.example.myapp">
<application ... >
<provider
android:name="android.support.v4.content.FileProvider"
android:authorities="com.example.myapp.fileprovider"
...
android:exported="false">
<!-- Place child elements of <provider> here. -->
</provider>
...
</application>
</manifest>
5.Proper access to webview
Load only trusted content on your webview dont allow user to navigate to other content on webview out of your control.
6.Add network security config
Specify all domain that should use http by disabling clear-text.
android:networkSecurityConfig="@xml/network_security_config"
Add an XML resource file, located at
res/xml/network_security_config.xml
<network-security-config>
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">secure.example.com</domain>
...
</domain-config>
</network-security-config>
7.Access limited permsission from user get permission from other app if its already granted with permission
Whenever possible, don’t add a permission to your app to complete an action that could be completed in another app. Instead, use an intent to defer the request to a different app that already has the necessary permission.
The following example shows how to use an intent to direct users to a contacts app instead of requesting the
READ_CONTACTS
andWRITE_CONTACTS
permissions:
Intent insertContactIntent = new Intent(Intent.ACTION_INSERT);
insertContactIntent.setType(ContactsContract.Contacts.CONTENT_TYPE);
// Make sure that the user has a contacts app installed on their device.
if (insertContactIntent.resolveActivity(getPackageManager()) != null) {
startActivity(insertContactIntent);
}
8.Store private data within internal storage
So it cann’t be accessed by other app and the information will get deleted as the app uninstall.
9.Store only non-sensitive data in cache files
if you contain any non sensitive information then store it on cache for fast access.
File cacheDir = getCacheDir();
File fileToCache = new File(myDownloadedFileUri);
String fileToCacheName = fileToCache.getName();
File cacheFile = new File(cacheDir.getPath(), fileToCacheName);
10.Use SharedPreferences in private mode
When using
getSharedPreferences()
to create or access your app'sSharedPreferences
objects, useMODE_PRIVATE
. That way, only your app can access the information within the shared preferences file11.Keep services and dependencies up-to-date
Most apps use external libraries and device system information to complete specialized tasks. By keeping your app’s dependencies up to date, you make these points of communication more secure.