This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Encryption keys should not be hardcoded (KeyStore, ‘FireAndForget’ key)
Shared preferences should not be MODE_WORLD_READABLE/WRITABLE (deprecated in API level 17)
Transport Layer Protection
OWASP Mobile Top 10 (Cntd.)M3: Insufficient Transport Layer Protection
General transport layer protection practices
● SSL/TLS (TLS 1.2 prefered) with strong cipher suite & appropriate key lengths
● Certificates issued by trusted CA provider● SSL chain verification / Hostname verification● Always alert user if any validation goes wrong
When possible, do application level encryption before sending data over transport layer (avoid future transport layer vulnerabilities)
M4: Unintended Data Leakage
● Keyboard Caching / Suggestions ○ For non-password informtion : android:inputType="textNoSuggestions"○ For passwords : andorid:inputType="password"
● Analytics Data● Logs (!)
OWASP Mobile Top 10 (Cntd.)
M5: Poor Authorization and Authentication
● Never persistent credentials locally● Avoid spoofable values during authentication (MAC/IMEI)● Ensure authorization controls cannot be bypassed● Token based authentication with backend APIs (OAuth 2)
○ Google “Dulanja API Security”
● Discourage use of 4 digit or all digit pass-codes
M6: Broken Cryptography
M7: Client Side Injection
SQL Injection (SQL Lite), XSS, File Inclusion
OWASP Mobile Top 10 (Cntd.)
M8: Security Decisions Via Untrusted Inputs
Intents
PackageManager.getLaunchIntentForPackage(-)
Intent intent = new Intent(Intent.ACTION_MAIN);intent.setComponent(ComponentName.unflattenFromString("com.example.app/com.ex ample.app.ExampleAction"));intent.addCategory(Intent.CATEGORY_LAUNCHER);intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);intent.putExtra(“SESSION_DATA”, sessionData);startActivity(intent);