Back to all posts

How we improve the security of Android apps

Kathryn WhartonSecurity

Cybercrime is something that affects every business in every territory in every sector across the world. 

It includes identity fraud, data theft, ransomware attacks, copyright infringement, phishing campaigns and an increasing number of ever-more sophisticated attacks on personal information. 

Between 2020-21, 22% of UK companies reported experiencing a cyber security breach or attack at least once per month. The average cost of dealing with those attacks was £2,670 for UK businesses, while the average expense of managing a worldwide data breach grew to $3.86m

Android applications were the third most commonly exploited applications (7.24%) globally in 2020, following Office (70.79%) and Browser (14.76%) apps. 

This is why we take developing secure Android apps very seriously. Security is always considered in everything we build and is one of the most important elements of creating a successful, secure app for our clients and their users. 

We spoke to our senior Android developer and in-house security expert, Samuel Press, about the things we do to improve the security of our Android apps. 

It’s all about trust

We’ll never apologise for the level of focus we have on security. In fact, we’re pretty obsessed with making every product we create as secure as possible. 

For Samuel, it’s all about honouring the trust the user puts in our clients to keep their data safe. “By making your app more secure, you help to preserve user trust and device integrity. Your users trust you not to misuse their data and to keep it secure. It’s your responsibility to do that - and ours to help you find the most effective way to do it.”

When we built a mobile peer-to-peer mutual aid network for aidx that allowed those in developing countries to send, receive and pool money wherever they were in the world, security was paramount. Following a four-week discovery phase that featured in-depth market and user research, we developed secure pool member authorisation and disbursement features to complement the simple and elegant user interface of the app. Security was built into every part of the app without compromising the overall user experience. Find out more about our work with aidx here. 

4 ways we keep our Android apps safe

When we begin working with a client, we’ll look at the specific security threats that it might face in its sector or from its user base. Malicious users are constantly looking for weaknesses to exploit so our in-house security experts will address all of the possible risks your app might face. 

There are four main ways that we embed Android app security features in our mobile app development process:

Enforce secure communication

We make sure that sensitive information is handled securely. Users need to be reassured that their information will be kept safe. 

This involves using implicit intents and non-exported content providers. We always show an app chooser so the user can select a trusted third party app and ensure that access to the app’s content providers are restricted. 

We ask for credentials, such as passwords and login details, before showing sensitive information. This helps to protect a user’s data from prying eyes. 

When creating network security Certificate Authorities (CAs) for new or custom products, we add a network security configuration for specific domains or implement a Trust Manager. This enables the app to decide whether the credentials presented by a user should be trusted or if they trigger a security response. 

Provide the right permissions

We keep requested permissions to a minimum and will only ask users to permit the use of features their app needs. Too many unnecessary permissions can create additional security risks as well as give the user the impression we’re misusing their data. 

We use intents to defer permissions. This means that we never add permissions for actions that can be completed by other apps, such as a camera access, for example. 

Data is shared securely with a third-party provider (PDF readers, for instance) and permission to use the app’s data is only granted if it is needed. 

Store data securely

Users trust us to handle their data securely so we put several things in place to protect it. 

We store private data in internal storage and sandbox it per app so no other application can access that space. The data held there is automatically deleted when the app is uninstalled. 

Data is stored in external storage when necessary. This usually only happens when handling large, non-sensitive files related to the app and we verify the data integrity on read using a hash verifier. 

To protect really sensitive data, we use MODE-PRIVATE when accessing an app’s SharedPreferences object. 

Stay up to date

Cybersecurity is constantly evolving so it’s important that apps are able to keep up to date with new threats. 

We keep our app’s dependencies up to date by making the communication between the app and the external libraries and services it uses more secure. 

For instance, we ensure that Google Play’s services provide updates to the device’s security provider. These updates fix any exploits found in the provider and show the user an error message if they are not able to be resolved. We build all of our apps to prompt the user to update their version of Google Play services on install so they constantly receive the latest security updates from the relevant providers. 

We update all of the apps native android dependencies via the software development kits (SDKs), and we check the third party dependencies for security updates regularly. Doing this gives us the ability to identify and manage any security risks outdated dependencies may pose. 

Get in touch

If you would like to discuss how we can improve the security of your Android app, get in touch with our team today. 

If you would like to keep up to date with the latest industry news then sign up to our monthly newsletter here.