The latest International Data Corporation (IDC) Worldwide Quarterly Mobile Phone Tracker report revealed statistics on the much expected lines, with Android dominating the market with an 82.8% share in 2015 Q2. However, like every good things, Android platform faces the flak of being the most targeted when it comes to security.
Android as an operating system comes with security features built into it that significantly diminish the frequency and impact of app security issues. In fact, the Android OS is such designed so as to allow you to typically build your apps with default system and file permissions and avoid difficult decisions about security.
Considering that Android users are aware of platform weaknesses and application security, here are a few significant security flaws Android app developers need to avoid during Android app development:
Executing Input Validation
One of the most common security problems affecting Android application is Insufficient Input Validation. Android does have platform-level countermeasures that reduce the exposure of applications to input validation issues and those features should be used wherever possible.
So, in case you are using native code, then any data read from files, received over the network, or received from an IPC has the potential to introduce a security issue. Here, the most common problems faced are buffer overflows, use after free, and off-by-one errors.
WHAT TO DO: Even though Android offers a number of technologies like ASLR and DEP so as to help reduce the exploitability of these errors, they do not necessarily solve the primary problem. Such vulnerabilities can be prevented by carefully handling pointers and managing buffers.
Mobile apps often process and store data locally – particularly those that offer the flexibility of offline sync. So, if input is not appropriately validated, these apps can easily fall prey to code injection attacks on the client side, which may vary in scope and severity subject to the knowledge level of the attacker and the authorization set for the application.
It is a fact that such kind of attack in mobile apps is not always foreseen by developers as they are more tuned to HTML injections and cross-site scripting that is common in web applications. While client-side code injection is a definite possibility in any app that accepts input; in Android, this could manifest as a piece of Java code passed through a text field that could unsettle the functioning of the app.
WHAT TO DO: Include validation of input fields into your Android security testing checklist.
Involuntary Data Leaks
One may not really believe that all data leaks are unintended. However, it is a fact that in spite of
Information loss due to sloppy and insecure data storage implementation, app developers are totally oblivious to this kind of data leakage. The risks of unintended data leakage refers to situations where a developer fail to realize that sensitive information is being stored/cached/logged elsewhere in the device. This may be easily accessible to other apps, malicious or otherwise – mostly as a side-effect due to peculiarities in the mobile OS.
WHAT TO DO: Try threat modelling of the operating system during security testing to see how it handles these features, so as to control the imminent danger. Even though copy/paste buffer caching cannot be avoided entirely, it can be ensured that no sensitive data is copied into buffer during development.
Weak Server-Side Controls
Server-side vulnerabilities is undeniably the most feared mobile security threats, and such flaws often rise from the delusion that a mobile OS takes full responsibility for security – resulting in developers failing to impose security mechanisms they would typically do in the case of a web application.
Considering data residing on your application servers can be hacked, and every request from the app can be replicated or tampered with, with or without the help of a mobile phone. All that is required to cause the rumpus is an API requester since most of these applications work on REST API or SOAP API structure.
WHAT TO DO: Enforce secure coding practices at the server end. Harness experienced development partners to rule out server-side weakness arising out of cross-platform development.
Considered to be one of the commonly adopted means of protecting sensitive information, Cryptography is also implemented in mobile application, so as to encrypt information before it is stored or transferred. However, it is important to take care of broken or faulty encryption mechanism, as liberties cannot be taken with sensitive data. While poor implementation can expose all of the information contained in your Android app, it can result in code or information theft and violation of privacy as well.
WHAT TO DO: Choose the right algorithm, right key length, and correct implementation protocol.
What measures are you taking on your Android app development process so as to avoid security flaws in Android App. We’d love to hear from you.