Android App Security
We take mobile app security very seriously! The bespoke enterprise Android apps we develop for UK businesses manage business-critical data and corporate intellectual property and our clients need to know that we do our utmost during the development of their custom-made Android apps to protect them from risk of financial loss, brand reputation damage, intellectual property theft or indeed government penalties.
When coding our bespoke Android apps we pay particular attention to the following:
Managing Android app login credentials in a secure manner
- Where we store the data that is consumed by the Android app
- Using high level cryptography to protect data stored in the custom-made Android apps we develop
- How we use networking (e.g. Internet access) to sync data between our Android apps and corporate cloud/server based systems
- Performing robust input validation on any data entered via the app which is then stored or transmitted
- Handling any personal data on the Android app which needs to adhere to privacy legislation such GDPR
- Only requesting to user to accept the bear minimum permissions to use the Android app
- Never use WebViews in our bespoke Android apps (see below why not)
Here below are just a few of the common security issues which Android app developers can unknowingly introduce into their code when developing bespoke Android apps. Because we are aware of these security issues we make sure our Android app development team does not introduce these vulnerabilities into the Android apps we develop.
Intent Scheme Hijacking Vulnerability
Here again WebViews are the culprit because they can be tricked by malicious web content into sending Intents (using Intent.parseUri) to app components leading to the theft of data.
Cross-App Scripting Vulnerability
File-based XSS Vulnerability
Malicious web content or networks can inject scripts to redirect the WebView to a malicious local file and launch a Cross-Site Scripting attack to access private local files or cookies.
SQL Injection Vulnerability
Just as with web apps, Android apps are also vulnerable to SQL Injection attacks where a malicious app can supply a crafted input to access private data or corrupt database contents. Just as with server-based SQL databases, the SQLite database on Android can be protected against SQL Injection by using parameters and making sure we use strict mode with a projection map for queries and by using a selection clause that uses '?' as a replaceable parameter and a separate array of selection arguments when updating or deleting data in the Android app's SQLite database.