Lack of Android Security Guidelines standards at any market place makes it difficult to manage security controls at an application level. Having a strong security checklist in place not only improves app security but the ecosystem involved in the development process, as well. Also, robust security standards and well set guidelines differentiate a platform from the others.
This android checklist can help you become a leading market place in terms of application security.
Android Security Guidelines:
1. SSL implementation check
Checking SSL implementation is key to many apps. This protects the app from MITM attacks and also secures communication between the mobile app and server.
2. Sensitive information management at client side
An app should never store sensitive information like encryption keys, username, passwords in shared preferences, files etc in local pool or memory. In case an application stores sensitive information in the database, encrypting the database with SQLCipher library is advised. Sensitive information should be accounted for while the app is uploaded to the market place.
3. Code obfuscation
Strong code obfuscation standards should be in place. Applications should encrypt or obfuscate the code to avoid reverse engineering.
4. Obsolete cryptographic libraries identification
Apps should always use the latest cryptographic algorithms which are safe and recommended. App developers should not use their own implementation of cryptography.
5. Validation checks at both client side and server side
Sometimes developers perform validations only at the client side. This leaves the server vulnerable to MITM attacks. Check for input validations at all possible scenarios.
6. Input sanitisation
Sanitise the user inputs to free them from malicious characters. Apps should use whitelisting to make a list of allowable characters.
7. Encode and decode
Apps should always use a standard encoding for encoding user inputs from client side and implement the decoding mechanism to decode the data at the client which is sent from the server side. All encoding and decoding standards will be tested.
8. Implement checksums and tokens
A best practice for developers is to implement checksums on the data that is passed from client to the server to check the integrity of the data. Implement tokens for protecting the app from CSRF attacks.
9. Secure response headers
Check for implementation of secure response headers.
10. Authorisation testing
Test authorisation at every level. Apps should have resources at the server side properly configured based on the user roles in the application.
11. Session management
Sessions should be properly implemented to avoid session based attacks. Developers should generate random sessions and make sure the sessions are terminated after a particular time period or after inactive usage. It is important to check for the expiration of sessions after logout or the previous session can be used for account takeover.
12. Protect the OS components
A checklist to check the exported=false for the components in android application if it is not desired for the other applications to interact with the components in your app.
13. Implementing password policy
Most mobile apps still make use of weak password policies. Using a minimum password length of 8 and making sure the password contains at least one numeric, one uppercase, one lowercase, one special character will ensure security at human level.
14. Implement Captcha
To avoid brute force attacks, apps should implement reCAPTCHA from google.