Tips to Increase Android App Security

Android apps are used by millions across the globe. These are practical apps, known for their frugality. And since so many users rely on them for their daily tasks, businesses need to ensure these apps are completely safe and secure to add personal data. Thus, this blog lists some tips to increase Android app security, allowing users to leverage them without having any doubts in mind.   

But let’s start with why it is important to increase the security of an Android app.   

Why should you prioritize security in Android app development?   

Android has more than 2.5 billion active users spanning over 190 countries. And with so much power, also comes great responsibility. Hence, businesses developing Android apps need to develop secure apps since the personal data or sensitive information of so many users is at stake upon usage.   

Moreover, since Google has designed its system to be more open-source natured and flexible, it is more prone to attacks. In fact, 97% of all malware attacking smartphones target Android. It has the largest market share worldwide; about 85%, which makes Android the number 1 smartphone target for hackers and criminals.   

Additionally, the app review process of the Google Play Store is much more lenient than the Apple App Store. The apps once submitted to be published only take a couple of hours to get published. This is one of the reasons that trends and challenges for Android apps always have security as a pointer.  

Since the process of setting up and publishing the app has loopholes and fewer restrictions, businesses and developers need to walk the extra mile to ensure that their users feel completely safe using their Android app.  

Also read: Best Android App Development Frameworks for Developers 

Top Tips to Increase Android App Security  

Android phones are economical and so are the apps. Thus, price-conscious people go for these smartphones and apps for their practicality and cost-effectiveness. It is, in fact, the most popular operating system in the world.   

For the same reason, businesses going for Android app development need to ensure that the apps are secure and suitable for usage.  

While these apps, through their high performance, can help businesses earn big bucks and flourish, they can also dent their brand image in the marketplace due to their security issues. This is because  25% of the 2 million applications available on Google Play alone include a security flaw. Thus, businesses and Android developers need to take note of these tips that could prevent Android apps from having security problems.  

The following are the best tips for improving Android app security:   

Mobile App Security Best Practice

Ways to improve Android App Security 

Ensure secure communication  

Secure communication is a crucial element of any software development, especially Android app development. Enforcing it ensures the protection of sensitive information of users.   

The data exchanged between apps and servers is encrypted and safeguarded from unauthorized or unwanted access. Ensuring secure communication facilitates cyber threats and risk management for businesses and builds trust among users through the maintenance of user privacy and data security.   

Here are a few ways a business or developers could ensure secure communication for Android apps:  

  • Data transmission between apps  

The following steps need to be taken for secure communication between apps:   

Step 1: App chooser option for the user  

At the time of launching an intent to build communication between two or more apps, display an app chooser for users to select the relevant app. This facilitates trusted and authorized communication.   

Programming for the same is:   

Intent intent = new Intent(ACTION_SEND);  

intent.setType(“text/plain”);  

startActivity(Intent.createChooser(intent, “Share via”));

Step 2: Enable Signature-Based Permissions  

Implement signature-based permissions so that only the apps signed with relevant and authentic certifications can access your app’s components. This protects the sensitive functionalities of the Android app from misuse.   

The following command could be used to implement the same:   

<permission android:name=”com.example.permission.SEND_DATA” />  

<uses-permission android:name=”com.example.permission.SEND_DATA” />

Step 3: Restrict access for the app’s content providers  

The manifest file should contain appropriate permissions for apps that expose content providers. The access should be restricted to maximize security.   

The command for the same is:   

<provider  

    android:name=”.MyContentProvider”  

    android:authorities=”com.example.provider”  

    android:exported=”false”  

    android:readPermission=”com.example.permission.READ_PROVIDER”  

    android:writePermission=”com.example.permission.WRITE_PROVIDER” />
  • Demand credentials before sharing sensitive data  

Ask users for credentials like a PIN or password before sharing or displaying any sensitive information on your app.   

Use the following command for it:   

private void showSensitiveInformation() {   

    if (userIsAuthenticated()) {   

        // Show the sensitive information   

    } else {   

        // Prompt the user for credentials   

        showLoginScreen();   

    }   

}
  • Implement network security measures  

Step 1: Creation of network security configuration  

This file should be added for the definition or security measures for network connections, such as communicating allowed protocols, cipher suites, as well as certificate authorities.  

<?xml version=”1.0″ encoding=”utf-8″?>   

<network-security-config>   

    <base-config>   

        <trust-anchors>   

            <certificates src=”system” />   

            <certificates src=”@raw/custom_ca” />   

        </trust-anchors>   

        <debug-overrides>   

            <trust-anchors>   

                <certificates src=”user” />   

            </trust-anchors>   

        </debug-overrides>   

    </base-config>   

</network-security-config>

Step 2: The creation of own trust manager  

The SSL certificates could be optimized for security and trust through the creation of a custom trust manager. This would facilitate additional checks or validation of certificates against a particular trust store.   

Apply the following command:   

TrustManager[] trustManagers = new TrustManager[] { new CustomTrustManager() };   

SSLContext sslContext = SSLContext.getInstance(“TLS”);   

sslContext.init(null, trustManagers, null);
  • Careful usage of WebView objects  

At the time of communicating between JavaScript code that is running in a WebView and native Android code, always make use of HTML message channels to exchange messages securely.   

By using HTML message channels, injection attacks could be prevented along with the blocking of unauthorized access to sensitive data.   

The following command must be implemented:   

if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) {   

    WebView.setWebContentsDebuggingEnabled(false);   

}   

WebView webView = findViewById(R.id.webView);   

webView.getSettings().setJavaScriptEnabled(true);   

webView.addJavascriptInterface(new MyJavaScriptInterface(), “Android”);   

webView.loadUrl(“https://www.example.com”);   

function sendMessageToAndroid(message) {   

    Android.processMessage(message);   

}

Use these tips to maximize the security of your app, and hence, the trust of your Android app users.   

Secure your app network with HTTPS  

It is a must to use HTTPS (SSL/TLS) if you want your communication between your Android app and the backend server to remain a hacker-free zone. This encryption ensures that the data is transferred securely, and the app is protected against man-in-the-middle attacks that intercept and modify data exchanged between the client and the server.  

Encrypt your data   

Encryption is essential to protect user’s data in your Android app. It protects both, the stored data as well as the data transmitted between the app and the server. You can either use Android’s in-built encryption APIs for data encryption on the device or use third-party encryption libraries for encryption of the data transferred.   

Two-factor authentication is the way to go  

Android’s app security could be enhanced by the implementation of two-factor authentication or 2FA. With this feature, users are required to provide an additional form of authentication, besides their username and password to get access to the software.   

One-time codes could be sent to the user’s registered contact number or email, or biometric authentication could also be used such as facial recognition. By using 2FA, your app has a second or an extra layer of protection for users, even if the hacker has the login credentials.   

Ensure proper session management  

Session management should be carefully implemented to ensure that only legitimate and authorized users get access to the Android app. There should be proper session timeouts and termination when the user logs out. It should also be ensured that the session tokens are carefully and securely exchanged and stored.   

Implementation of input validation and sanitization   

Common vulnerabilities such as SQL injection and Cross-Site Scripting (XSS) attacks could be prevented by implementing input validation and sanitization. These techniques ensure that user-supplied data meets the expected criteria or standards.   

The following is the command to implement input validation and sanitization through regular Java expressions:   

String userInput = getInputFromUser();   

if (userInput.matches(“[A-Za-z0-9]+”)) {   

    // Valid input   

    // …   

} else {   

    // Invalid input   

    // …   

}

Leverage ProGuard as a Java Obfuscator & App Optimizer  

Code could be obfuscated in Android apps by using a tool called ProGuard. This tool makes reverse engineering of the Android app difficult for hackers. It further reduces the app size, improving performance and reducing download times along with making it hard for hackers to find programming vulnerabilities.   

ProGuard could be enabled by adding the following lines to the build.gradle file:  

android {  

    // …  

    buildTypes {  

        release {  

            minifyEnabled true  

            proguardFiles getDefaultProguardFile(‘proguard-android-optimize.txt’), ‘proguard-rules.pro’  

        }  

    }  

}

Ensure regular updates and app services and dependencies testing  

Apps generally leverage external libraries and devices to carry out specialized tasks. As technologies evolve, it becomes imperative to constantly update and test your app for any vulnerabilities, or bugs or for the addition of the latest features.   

This could be done in two ways:  

  • Consult Google Play Services Security Provider  

The Google Play Services Security Provider offers secure implementation of cryptographic algorithms. Additionally, it ensures that your app is making use of the latest security patches as well as updates provided by Google. Therefore, verify and utilize it for better app security.   

A business needs to check if the app allows or if the Google Play Services Security Provider is available for it and leverage it for cryptographic operations by adding the following command:   

ProviderInstaller.installIfNeeded(context);  

Provider[] providers = Security.getProviders();  

for (Provider provider : providers) {  

    if (provider.getName().equals(“GmsCore_OpenSSL”)) {  

        // Use Google Play Services Security Provider  

        break;  

    }  

}
  • Updating all dependencies   

It is essential to update all dependencies used in the Android app to make sure that the latest and suitable bug fixes and security patches are added.   

Update the version numbers of your dependencies in your app’s build. gradle file in the following manner:     

dependencies {  

    implementation ‘com.example:library:1.2.3’  

}

Post this, make use of the Gradle build system in order to fetch and apply the updated dependencies by using the following command:  

 ./gradlew clean build  

By updating dependencies and checking the Google Play Services Security Provider, a developer or business could ensure that the Android app being built is secure and hence, would be used by millions without any safety doubts.   

Moreover, Indian developers or dedicated development teams from India specialize in developing secure and scalable Android apps. A business should just keep some factors such as analytical skills, industry experience, etc., in mind while hiring developers in India or abroad.   

Storage of only non-sensitive in cache files  

Other apps could access cache files; hence it is recommended to not store any sensitive information such as passwords, confidential data, etc., in the cache files. Cache files should only have non-sensitive information that is required for improved app performance.   

Partial access to photos and videos 

Android 14 allows users to have a bit more control over the media shared with the app. Users can allow apps to have access to selective photos and videos using the permission notification. This feature was lacking in Android 13 and earlier versions. These versions only allowed users to either share all media or not share at all, with a “yes” or “no” checkbox.   

Developers can enable this permission notification with the following commands: 

a. Request correct storage permissions in the Android manifest, depending on the OS version: 

<!-- Devices running Android 12L (API level 32) or lower  --> 
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" android:maxSdkVersion="32" /> 
 
<!-- Devices running Android 13 (API level 33) or higher --> 
<uses-permission android:name="android.permission.READ_MEDIA_IMAGES" /> 
<uses-permission android:name="android.permission.READ_MEDIA_VIDEO" /> 
 
<!-- To handle the reselection within the app on Android 14 (API level 34) --> 
<uses-permission android:name="android.permission.READ_MEDIA_VISUAL_USER_SELECTED" /> 

b. Request the correct runtime permissions, also based on the OS version: 

// Register ActivityResult handler 
val requestPermissions = registerForActivityResult(RequestMultiplePermissions()) { results -> 
    // Handle permission requests results 
    // See the permission example in the Android platform samples: https://github.com/android/platform-samples 
} 
 
// Permission request logic 
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) { 
    requestPermissions.launch(arrayOf(READ_MEDIA_IMAGES, READ_MEDIA_VIDEO, READ_MEDIA_VISUAL_USER_SELECTED)) 
} else if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.TIRAMISU) { 
    requestPermissions.launch(arrayOf(READ_MEDIA_IMAGES, READ_MEDIA_VIDEO)) 
} else { 
    requestPermissions.launch(arrayOf(READ_EXTERNAL_STORAGE)) 
} 

Hide Preview in task manager 

Another way to enhance Android app’s security is to hide the app preview when switching from one app to another. And the simplest way to disable the app’s preview when it is showing in task switcher is through FLAG_SECURE. 

By enabling it, there just appears a blank screen for most devices. 

To enable it, create a base Activity class that all activities extend, containing this in the onCreate: 

protected void onCreate(@Nullable Bundle savedInstanceState) { 
    getWindow().setFlags(WindowManager.LayoutParams.FLAG_SECURE, WindowManager.LayoutParams.FLAG_SECURE); 
    super.onCreate(savedInstanceState); 
} 
 

Alternatively, you can also enable it on pause / resume by selection:  

override fun onPause() { 
    super.onPause() 
    getWindow().setFlags(WindowManager.LayoutParams.FLAG_SECURE, WindowManager.LayoutParams.FLAG_SECURE) 
} 
 
override fun onResume() { 
    super.onResume() 
    getWindow().clearFlags(WindowManager.LayoutParams.FLAG_SECURE) 
} 

Conclusion  

As per a report, 82% of Android devices were susceptible to at least one out of 25 vulnerabilities in the Android operating system, back in 2016.

Moreover, Sundar Pichai, head of Google’s Android team, on being asked about malware on the Android platform said:   

‘We cannot guarantee that Android is designed to be safe, the format was designed to give more freedom … If I had a company dedicated to malware, I should also be addressing my attacks on Android.’   

Thus, it becomes imperative for businesses going for Android app development to emphasize on security of the app for user trust and app success. Furthermore, it is equally important for Android developers to ensure that the programming has all the elements and components required for maximum app security.   

Businesses thus need to prioritize security in their Android app product roadmaps and hire a reliable name such as BigOh that has significant industry experience and relevant exposure to build highly secure, scalable, and practical Android apps.   

FAQs 

  1. What are the best practices for secure network communication?  

The network connection could be secured by:   

  • Addition of a network security configuration  
  • Creation of a custom trust manager  
  • Using HTTPS   
  1. Why is Android app security important? 

Android platform is designed to be more open and freer, and since it is the most famous operating system in the world, it attracts a lot of malicious activities and cyber-attacks. Hence, prioritizing security in your Android app is important.   

Leave a Comment