Regarding App securtiy

Security plays an important role to get the trust of user to use our application from the market.When speaking about security there are some points we need to keep in mind while developing

1.Use implicit intents

If you want to transfer data between other application then by using implict intent list out all the data transfer app available for user from your system so that the user pick the app he trust more

Intent intent = new Intent(Intent.ACTION_SEND);
List<ResolveInfo> possibleActivitiesList = getPackageManager()
.queryIntentActivities(intent, PackageManager.MATCH_ALL);

// Verify that an activity in at least two apps on the user's device
// can handle the intent. Otherwise, start the intent only if an app
// on the user's device can handle the intent.
if (possibleActivitiesList.size() > 1) {

// Create intent to show chooser.
// Title is something similar to "Share this photo with".

String title = getResources().getString(R.string.chooser_title);
Intent chooser = Intent.createChooser(intent, title);
startActivity(chooser);
} else if (intent.resolveActivity(getPackageManager()) != null) {
startActivity(intent);
}

2.Apply signature-based permissions

if your communiction is between two application that you own then you can decalre protection level signature under permission tag so the app accessing the data will check weather the app is signed with same signing key.

<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.example.myapp">
<permission android:name="my_custom_permission_name"
android:protectionLevel="signature" />

3.Ask for credentials before showing sensitive information

if you request user creditinals for showing sensitive information then before you should ask them Pin or pattern in order to conform there identity.

4.Disallow access to your app’s content providers

By making exported false under provider tag

<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.example.myapp">
<application ... >
<provider
android:name="android.support.v4.content.FileProvider"
android:authorities="com.example.myapp.fileprovider"
...
android:exported="false">
<!-- Place child elements of <provider> here. -->
</provider>
...
</application>
</manifest>

5.Proper access to webview

Load only trusted content on your webview dont allow user to navigate to other content on webview out of your control.

6.Add network security config

Specify all domain that should use http by disabling clear-text.

android:networkSecurityConfig="@xml/network_security_config"

Add an XML resource file, located at res/xml/network_security_config.xml

<network-security-config>
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">secure.example.com</domain>
...
</domain-config>
</network-security-config>

7.Access limited permsission from user get permission from other app if its already granted with permission

Whenever possible, don’t add a permission to your app to complete an action that could be completed in another app. Instead, use an intent to defer the request to a different app that already has the necessary permission.

The following example shows how to use an intent to direct users to a contacts app instead of requesting the READ_CONTACTS and WRITE_CONTACTS permissions:


Intent insertContactIntent = new Intent(Intent.ACTION_INSERT);
insertContactIntent.setType(ContactsContract.Contacts.CONTENT_TYPE);

// Make sure that the user has a contacts app installed on their device.
if (insertContactIntent.resolveActivity(getPackageManager()) != null) {
startActivity(insertContactIntent);
}

8.Store private data within internal storage

So it cann’t be accessed by other app and the information will get deleted as the app uninstall.

9.Store only non-sensitive data in cache files

if you contain any non sensitive information then store it on cache for fast access.

File cacheDir = getCacheDir();
File fileToCache = new File(myDownloadedFileUri);
String fileToCacheName = fileToCache.getName();
File cacheFile = new File(cacheDir.getPath(), fileToCacheName);

10.Use SharedPreferences in private mode

When using getSharedPreferences() to create or access your app's SharedPreferences objects, use MODE_PRIVATE. That way, only your app can access the information within the shared preferences file

11.Keep services and dependencies up-to-date

Most apps use external libraries and device system information to complete specialized tasks. By keeping your app’s dependencies up to date, you make these points of communication more secure.