Keeping sensitive data safe on bespoke Android apps

It is of the utmost importance to us, as professional software engineers specialising in the development of cutting-edge, custom-made Android apps, that we keep the data entered by users of our bespoke Android apps safe, secure and private (e.g. information they enter as text on forms or indeed photos, videos or signatures they take via the enterprise Android apps we have custom-developed for them).

This is not just about encrypting data (which is of course very important); it is making sure we store data in the most appropriate locations with regards to security. For example, all private data should be stored in the app's internal storage, not in the device's shared storage (which can be accessed by other apps if you have accepted they can 'access external storage' when installing those other apps). Of course all network traffic (e.g. when syncing data with cloud servers) should be sent over SSL and any third-party libraries or SDKs integrated with the Android apps we have developed will be kept up to date.

Each Android app we develop (in fact all Android apps) have their own internal storage directory that is private to the app and not accessible by any other apps on your device. No special permissions are required to access this directory (so users do not need to accept permissions on installation) and if the user uninstalls the app, these files are removed.

We follow industry best practice when developing bespoke Android apps to make sure they are as secure as possible!

Storing your Android app data safely and securely

When developing your custom-made Android apps we aim not to use of any APIs that access personal data. However, if we need to access personal data (e.g. usernames, emails or passwords) we will always try not to store or transmit that data to reduce the risk of hackers trying to exploit the bespoke Android app we have developed for you. Also, for privacy compliance (e.g. GDPR) we have to explain the use and storage of any personal information in an app-specific privacy policy; the less personal data we store, the easier it is to adhere to global privacy legislation.

If the enterprise Android app we develop for you requires access to sensitive data, we will evaluate whether we need to transmit it to a cloud server for processing - e.g. we need to run CPU-intensive machine-learning (artificial intelligence) against the data - or if we can run the operation on the client. We will always try to run code using sensitive data on the client to avoid transmitting user data!

Likewise, if we need to create a GUID / UUID (globally unique identifier / universally unique identifier) on the app we will not use identifiers such as the phone number or IMEI as these could be associated with personal information. We will try to use Settings.Secure.ANDROID_ID which is an integer value generated and stored when the device is first booted.

Also, when developing our bespoke Android apps we utilise a great Android operating system tool called Logcat which dumps a log of all system messages (including stack traces when the device throws an error) as well as messages our Android app developers have written into your app with the Log class. Although these logs are automatically deleted whenever a device is rebooted, we make sure no sensitive data is included in these Logcat logs because they are a shared resource available to any app with READ_LOGS permission.