Android Security for Developers
Security is frequently an afterthought in many software projects – perhaps too frequently. Sometimes there is merely no budget for security, whether it’s for developer training or for third-party experts. Unfortunately, the cost of such oversight is often much higher than the initial investment would have been. Design was in a similar position in the past, but many in the industry have realized that you can’t just “apply design” at the end of the project. Similarly, security may have a profound impact on some of the technical decisions made early in the project.
As developers, we usually think of security from the perspective of the platform and applications, but we should not forget the humans for whom we create our applications.
Know Thy Platform Security
Apple publishes the iOS Security White Paper for every major release of iOS, and Google publishes the annual Android Security Year in Review. With every update, they each also publish the release notes that contain the details of security fixes.
Half a Billion Marshmallows
For security conscious developers the information gleaned from Google’s annual report can help in making some important decisions. For example, it might be useful to consider setting
minSdkVersion to 19 (KitKat or version 4.4) or even higher, since only Android versions 4.4.4 and later receive the monthly security patches. In 2016, over 50% of devices received platform security updates. While the percentage may seem low, given the sheer number of Android devices, 1.4 billion, this translates to more than 735 million updated devices. In fact, the installed base of Android puts certain numbers into perspective. While “only” 34.1% of devices run Marshmallow or later, expressed in units instead of percentage it equals to over 475 million devices. Given the estimates of the number of active iOS devices (630 million iPhones), the number of devices on Marshmallow and later is beginning to look like a very sizable market.
What’s so special about Android Marshmallow? It introduced a number of very important security features
Runtime permissions not only dramatically improve user experience, but could also increase the percentage of users that update your app.
- Fingerprint authentication encourages more people to enable screen lock protection.
- Disk encryption is now required for all capable devices that ship with Marshmallow.
- Support for encryption keys residing in secure hardware make key material extraction even more difficult.
Android Nougat continued building on what Marshmallow started and added significant security upgrades, including media server hardening, direct boot and file-based encryption, and the improved system update process. Newer devices will benefit from the seamless updates feature, which performs system updates in the background on a separate partition. This way, Nougat can boot the updated version much faster so that users don’t have to wait for ages before their phone is ready to use again.
One of the big Android O features that has a serious impact on user security is the Prefill API. AgileBits, the maker of 1Password, already showed off a proof-of-concept integration, since making it easier for users to adopt the practice of using password managers means improved security.
Google offers some good resources for Android developers, including best practices for security & privacy, security tips and App Security Checklist. In addition, Android Security Bulletins are useful for staying aware of the state of platform security.
OWASP (Open Web Application Security Project) started its life covering security for web applications, but gradually grew to include various platforms, including mobile. OWASP Top 10 Risks and OWASP Android Testing Cheat Sheet are good starting points for evaluating an application quality from the security perspective.
Security and privacy are more important to people now than ever before. You may want to share some things, like what you’re eating for lunch and pictures of your dog, to millions of your Instagram and Snapchat followers, but you probably don’t want to share your bank account credentials or social media passwords. So, some things are worth keeping secret.
In 2015 Google published the results of their research into security practices that are recommended by security experts and non-experts alike. It turns out these two groups have a different take on the importance of various practices.
|1. Use Antivirus Software||1. Install Software Updates|
|2. Use Strong Passwords||2. Use Unique Passwords|
|3. Change Passwords Frequently||3. Use 2-Factor Authentication|
|4. Only Visit Websites They Know||4. Use Strong Passwords|
|5. Don’t Share Personal Information||5. Use a Password Manager|
Other than the use of strong passwords, the security tips are very different. While at first glance some of the suggestions by amateurs may seem to make sense, they offer less security than the experts’ advice. For example, in some cases antiviruses may even lower your security. Changing passwords frequently also lowers security, since many users end up using passwords that are easier to remember and to guess.
The top 5 practices recommended by experts could be condensed to just top 3, since many password managers’ functionality takes care of creating unique and strong passwords. Of course there are additional practices that are important, such as backups, VPN, and signing up for password hacking/leak notifications.
As developers, we should encourage these best practices, both by educating our friends and families, and by making software that is friendly to these practices.
Best Practices and Caution
Using unique passwords together with 2-factor authentication significantly reduces users’ risk. Since many people reuse the same password across multiple sites, a hack of one of these sites makes their other accounts vulnerable. So, if you’re still reusing passwords, it’s time to get a good password manager and start changing passwords.
You can use your password manager for more than just passwords – for example, you should probably keep your security questions unique across websites. Of course, it’s possible to exercise good password discipline without using password managers, it would require a little bit more effort but may be worth it if you’re concerned about the password manager’s security.
Backups, done properly, will help not just in cases of accidental loss of data, due to broken or lost devices, but also in cases of data loss due to ransomware. The Backup 3-2-1 rule helps protect against the possible unfortunate situation when malware/ransomware infects the backup drive that was connected to the infected PC.
VPN (virtual private network) software helps you when you are using an unsecured Wi-Fi at a cafe or in a hotel. When using public Wi-Fi, all your non-HTTPS traffic is fully visible to anybody on the same network. While many websites are moving towards using HTTPS, there are still others that allow regular HTTP.
You do have to be careful when selecting VPN software. On Android, 84% leak user traffic and 18% of VPN apps don’t even encrypt the traffic, something that the VPN is supposed to do by definition. What’s worse, 38% of them inject malware, further endangering their users. So, do your research and avoid bad ones, those that effectively offer no security.
Software updates are the unsung heroes of security practices. Many vendors issue regular security patches even to older versions of their software. For example, Android monthly security patches are released for Android 4.4.4 and later. Of course, some of the more fundamental security updates require upgrades to the latest major version of the OS.
Getting software from known sources also helps keep malware at bay. Even though the Play Store has been doing a great job of detecting and removing PHA (Potentially Hazardous Apps), sometimes malware sneaks in anyway.
Making Mobile a Safer Place
Airline safety rules dictate that in case of emergency you should put on your own oxygen mask first before helping others. Similarly, you should practice safety and security yourself first, and then help make the lives of the users of your apps more secure.
Update your software, especially the OS and browsers. If you’re not running the latest iOS (10.3.1 as of April 3, 2017) on your iPhone or the latest April security patches on your Android phone, you’re leaving yourself open to attacks.
Once you’ve updated your devices, look for opportunities to make your users more secure. Adopt secure coding practices, stay informed of the platform security updates, audit your code, and keep learning. Stay tuned for more information on security as we continue to dive into the subject.