Hey everyone, and welcome back to the Deep Dive. Today, we're diving headfirst into the world of Android app security. Oo exciting it is, right, We've got these excerpts from Testing and Securing Androids Studio Applications, so nice, and we're going to break it down figure out how to make sure that your Android apps are as secure as fort Knox. A mighty task, it is, but I think we can do it. You ready to get into it?
Yeah, let's do it all right.
So the book actually kicks off by talking about some core security concepts kind of like security one oh one. Yeah, that apply to all software, not just Android. Yeah, so things like access control, encryption, authentication.
Yeah, the basics, the basics.
It's interesting they emphasize this before even getting into like Android specifics.
Yeah, it's really important to understand these kind of foundational pieces of security before you can even start to think about building a secure app. Yeah, because you know, we all have passwords, but what does it really mean for a password to be secure? What does it actually mean to authenticate yourself? How can you prove that you are who you say you are?
Right?
So those are the building blocks totally, and.
The book actually quotes this guy, Boris Buyser, who's a software testing expert, and he says bugs lurk in corners and congregate at boundaries.
Ooh, that's good.
I feel like that's setting the stage for a whole lot of testing. It is.
It means we to test everything, yeah, because those bugs are going to be hiden.
Yeah. All right, so we've talked about some of the foundational concepts. Now let's actually talk about androids specifically.
Okay.
So Android seems to have like a multi layered approach to security.
Yeah, it does.
The book describes it as like an Onion architecture, oh, the Onion, yeah, which I thought was interesting.
Yeah. It's a good way to think about it, because each layer adds an extra level of protection.
Okay.
So at the very core, you have the Linux kernel, which provides some of the most fundamental security features. Okay, and then on top of that you have things like app sandboxing, permissions, application signing.
Okay, So let's break those down a little bit. What is sandboxing?
Okay? So sandboxing basically means that each app lives in its own little isolated environment okay, and this prevents apps from interfering with each other or accessing data that they shouldn't have access to.
Oh, so it's all about isolation.
Exactly, It's all about isolation.
Got it? Okay? What about permissions? Permissions those pop up every time I install an app, Yes.
Every time on my phone. So permissions are how Android controls what an app can and can't do.
Okay.
So if an app wants to access your camera, it has to ask you for permission.
First, okay. So it's like a check and balance.
Exactly, It's a checks and balance the system.
Gotcha, okay? And then what about application signing?
Oh, application signing is how Android knows that an app is legitimate and that it hasn't been campered with. So every app that's published to the play Store has to be digitally signed, okay. And that's how your phone knows okay, I can trust this app.
So it's basically like a guarantee that it can from, like a trusted source, a trust.
It source, no one's messed with it.
Right, Okay? Cool. So it seems like Android has a lot of built in security features. It does, but the book also talks about how smartphones are constantly connected and that kind of creates more opportunities for attacks.
Right. Our phones are basically mini computers in our pockets. They're connected to the internet almost all the time. Yeah, so that just gives attackers more ways to try to get in.
Okay. So let's say you are a developer, Okay, you're building an Android app. What are some of the common vulnerabilities that you need to watch out for.
Well, the book talks about three really big ones. Okay, input validation, sequel injection, and intense spoofing. Okay, let's start with input validation. So imagine you have an app that has a form okay, and it's asking the user for their email address. Yeah, you need to make sure that the user is actually entering a valid email address. Oh okay, and not like trying to sneak in some malicious code or something.
Is it like a pain to actually validate every single input it can be that a user could provide.
But it's really important, okay, because without proper input validation, you're essentially leaving the front door to your app wide open. An attacker could exploit that to inject some harmful code or manipulate data to cast all sorts of problems.
Okay, So input validation, that's something that developers really need to pay attention to absolutely. Okay. What about SQL injection?
So? SQL injection is a classic attack that exploits vulnerabilities in how an app interacts with a database. So let's say you have an app that allows users to search for products in a database. An attacker could craft a malicious search query. Oh that, instead of returning search results, ends up deleting data from your database. Oh no, yeah, so it's a serious threat. Okay, the developers need to be aware.
Of Okay, but are there ways to prevent it?
Yes, thankfully there are using things like parameterized queries, which essentially separate the user input from the actual SEQL query itself.
Okay, so it's like creating a barrier.
Exactly, creating a barrier between the user's input and the sensitive part.
Okay, gotcha, So input validation's sequel injection. Now what about intense spoofing.
Woh, intense poofing sounds scary, it does?
What is it?
So? Intense spoofing is all about exploiting the way that Android apps can communicate with each other. Okay, So Android apps can send messages called intents to request actions or share information. An attacker can basically create a fake intent to trick an app into doing something it shouldn't.
So it's like sending like a fake invitation to a party.
Yes, exactly like that.
Okay. So how can developers protect their apps against this?
A couple of key things. One is to always use explicit intents whenever possible, okay, which means being very specific about which component should receive that intent. And the other one is to validate the data that's being received, make sure it's what you expect and that it hasn't been tampered with.
Makes sense, all right? So I think we've covered a lot of ground here. We've talked about some foundational security concepts, how Android approaches security, and some of the most common vulnerabilities, the scary stuff. Yeah, but good to know, good to know. So I feel like we've built a pretty solid foundation here.
We have. The walls are up, the doors are locked.
All right, perfect, Now we need to think about protecting the data inside the house.
Yes, that's next.
So let's take a quick break and we'll be back to dive into the world of data privacy.
Sounds good. So we've talked about building this secure house, right, thank you. Sure the walls are strong and the doors are.
Locked, right, keeping those intruders out.
Now, let's step inside and talk about protecting the valuables, those precious possessions. Data.
Data privacy. It's such a hot topic these days, and for good reason. Users are trusting these apps with more and more of their personal information. Oh yeah, absolutely, So we really got to make sure we're treating it with care.
Yeah, it's like being a bank. You need to make sure that you're keeping your customer's money safe.
Right. So the book talks about all the different storage options available and Android. There's shared preferences, internal storage, external storage databases, so many ops. It's like a whole storage unit, it is, and you.
Have to check the right storage unit for the right thing exactly.
So let's start with shared preferences. I use this all the time for like user settings or app settings. Yeah, simple stuff. Are there any security risks with those?
Well, Shared preferences are really convenient for those small bits of data. Yeah, but they're not the best choice for sensitive information because by default, the data that's stored and shared preferences is unencrypted, ah, which means it's basically visible to anyone who has access to the device.
So, like, if I'm storing a user's password or apike shared preferences are out of the question.
Definitely, you need a more secure storage option for that.
Okay, So what about internal storage? Is that a step up?
Internal storage is definitely more secure okay, because the data is stored in your app's private data directory Okay, and boxed and generally inaccessible to other apps. Gotcha, unless they have root access to the device.
But what happens if an attacker gets root access?
Well, if an attacker has root access, then it's basically game over. Oh no, they can access pretty much anything on the device.
So even with internal storage, it's not a guarantee.
Right, That's why we need encryption.
Okay, So encryption is important no matter where we're storing it. Yes, what about external storage like an SD card?
So external storage is typically used for data that's not specific to your app okay, so things like media files that you want users to be able to share. Yeah, but it's also the least secure option.
Yeah, it seems like it because.
Anyone can access it. So never store sensitive data on external storage makes sense?
Now, what about databases?
Databases are great for storing larger amounts of structured data, okay, and they offer a really good level of security, especially when you combine them with encryption.
Always got to encrypt. So you keep mentioning encryption, Can you explain what it is and why it's so important?
Yeah. So encryption is basically scrambling data into an unreadable format so that anyone who doesn't have the key to unscramble it just seems gibberish.
So even if someone gets the data, it's useless without that key.
Exactly.
Okay, cool. Now you mentioned before there's like two types of encryption, symmetric and asymmetric. Yeah, can you break those down?
Yeah. So symmetric encryption is like having one key that locks and unlocks the treasure chests. Okay, so anyone who has that key can access the data, gotcha. Asymmetric encryption is like having two keys, a public key and a private key.
Okay.
You use the public key to encrypt the data and the private key to DECRYPTI.
Gotcha.
So you can give anyone the public key, but only the person with the private key can actually see the data.
It's like a super secret decoder ring exactly. But even with encryption, we still have to make sure those keys are safe.
Right, absolutely. Key management is just as important as encryption itself.
Okay, so what are some best practices for that.
Ideally you want to avoid storing encryption keys directly on the device, Okay, If possible, you should send them to a secure server. So keep them somewhere else, Yeah, separate from the data.
It makes sense. Well, what if, like sending the keys to a server isn't possible.
Well, another option is to generate the key based on a password that the user has to enter each time they start the app. Okay, So the key is never actually stored anywhere permanently. Tatscha, but it's recreated each time.
Interesting.
Yeah, it's more secure, but it could be a little bit more inconvenient for the user.
Right. It's always a balancing act, always a balancing act. Okay. So we've talked about protecting data at rest, Right now we got to think about protecting data when.
It's moving around, data in transit.
Yeah, exactly. And I think this is where HGTPS comes in.
Yes, HGTTPS is our.
Friend, right. I always see that little pad luck in the address bar. Yes, I feel like it makes me safe.
It does. It means that the communication between your browser and the website is encrypted okay, So anyone who's trying to easdrop can't see what's being sent.
So it's like sending a postcard versus sending a sealed letter, right exactly. So if I'm building an app that handles sensitive data, HTTPS is a must.
It is absolutely essential.
So I'm kind of curious, how does HTTPS actually work? What's going on behind the scenes.
Well, HTTPS is actually a combination of the standard HTTP protocol okay and something called SSL or TLS.
Okay, SSL, we talked about that before, right, like when we were talking about certificates.
Yes, you write, SSL stands for Secure Sockets Layer okay, and TLS is Transport Layer Security okay, which is basically a newer, more secure version of SSL.
Gotcha.
But they both do essentially the same thing, which is to encrypt the communication between your app and a server.
So they're like the bodyguards for our data.
Yes, protecting it from those prying eyes.
I like that. So when an app establishes an HTTPTS connection, what actually happens.
There's a handshake process okay, where the app and the server agree on which encryption algorithms to use and they exchange keys.
Okay, So it's like a secret meeting.
Yeah, the secret means.
To make sure they're on the same page, and once that connection is established, then all the data.
Is encrypto exactly. It's like a secret tunnel.
Okay. Cool. So we talked about certificates before, and I remember you mentioned a tool called key Tool. Yes, what is that and how does that play into this?
So digital certificates are like electronic passports that verify the identity of a website or a server, and key tool is a tool that you can use to create your own self signed certificates.
So like, if I'm a developer just getting started, I can create my own certificates to play with.
Yes, exactly, and the book actually shows you how to do that. Awesome bo through the command line and through Android studio.
Okay, handy, But even with HTTPS and certificates, things can still go wrong, right unfortunately?
Yes, okay. Sometimes you might encounter a certificate that's self signed, or it was issued by a certificate authority that's not recognized by Android.
So it's like having a passport from a country that Android doesn't trust.
Exactly. Yeah, in those cases, you need to explicitly tell your app to trust that certificate. Oh okay, otherwise you'll get an error.
So we have to be careful about which certificate.
Sweet, it's very careful. Always double check and make sure you're handling them correctly.
Awesome advice. Okay, so we've covered a lot today, data at rest, data in transit, lots of security.
Measures, players upon layers.
But we can't forget about one of the most important aspects of any secure system, which is authentication. Making sure we know who's at the door before we let them in.
Yes, we've built the house, we've protected the valuables. Now we need to hire a good bouncer.
Right, we'll be right back to talk all about authentication. Welcome back to the deep dive. We've talked about building a secure foundation, protecting data at rest and in transit, lots of layers. Now it's time to make sure we've got a.
Strong front door authentication.
Yes, so let's talk about some of the most common authentication methods out there.
Right.
The book starts with the classic, the tried and true username.
And password, the old standby.
But I feel like everyone knows this is not the most secure method.
Yeah, it's definitely got its weaknesses. Passwords can be stolen, they could be guessed they could be cracked.
People are not great at picking good passwords. So what are some alternatives that we can use.
Well, one that's becoming increasingly popular is multi factor authentication or MFA.
Oh yeah, MFA, I've heard of that.
It adds an extra layer of security, okay, by requiring users to provide more than just their password.
Okay, So it's like having two locks on the door exactly.
Okay, So even if someone gets passed the first lock, they still need another key to get in.
Gotcha. So MFA usually combines something the user knows, like a password, with something they have like a physical token or a code sent to their phone, right, or even something they are like a fingerprint or a face scan.
Biometrics biometrics, Yeah, those again popular.
Yeah, they're super convenient.
They are convenient.
But are there any downsides to using them?
Yeah? There are some things to consider. For one thing, biometric data can be harder to change if it's compromised, that's true, And there are also privacy concerns about how that data is being collected.
And stored, right, So always important to think about the trade offs. So the book actually walks through how to build a basic login system in Android. Okay, what are some key things developers should be thinking about when they're building something like that.
Well, first and foremost, security has to be your top priority.
Okay.
Always use HTTPS to protect those credentials as they're being sent over the network, right, Never ever store passwords in plain text. Oh yeah, Always hash them using a strong hashing algorithm hashing.
I remember we talked about that before. That's like a one way function, right exactly.
You can't unscramble a hashed password, okay, So even if your database is compromise, the attacker can't actually see the passwords.
Cool. Okay, And of course we already talked about MFA. That's always a good idea.
Yeah, layers of security.
Now, the book mentions something called account manager. What is that?
So? Account manager is a class in Android okay that gives you access to the user accounts that are stored on the device. Okay, so things like Google accounts or accounts for other online services.
It's like a central hub, gotcha, And you can use it to request authentication tokens you can, which is really cool.
It is because it means the user doesn't have to enter their credentials over and over again. It just makes it smoother, much smoother.
Okay. Cool, All right, so we've talked about authentication. Yeah, now let's move on to what I think is one of the most important parts of building secure software.
Oh, I know what's coming.
Testing.
We have to test.
We have to it's so important, it is. So the book talks about different types of testing unit testing. Yeah, let's start with UI testing. Why is that so important for security?
Well? UI testing focuses on how a user interacts with the app's interface. Remember we were talking about those input validation vulnerabilities. UI testing can help.
Us catch those, okay, So we can simulate a real user trying to break the app exactly and see if our input validation is actually working.
Yes, And Android provides this great framework called UI Automator okay for creating automated UI tests.
Cool, so we don't have to do it manually.
Well, you can do it manually, but it's much easier to automate it. And there's also this cool tool called UI Automator Viewer okay, which lets you inspect the hierarchy of your.
App's UI so we can see what's going on.
Yeah, you can see all the different elements and how they're laid out.
Okay, very cool. Now what about unit testing? How is that different?
So unit testing is about testing individual components of your code in isolation. Okay, So you're not testing the whole app at once. Okay, you're testing each little piece.
Gotcha? And Android uses j unit for.
This, yes, Jane. It is the standard framework for unit testing in Java.
Okay. But does Android have any like special tools or classes to help with that.
It does. It has a bunch of classes and methods specifically for testing Android components. Cool, like activities and services.
Oh, very cool. And you mentioned instrumentation before. What's that all about?
So instrumentation is this really powerful mechanism that lets your test code interact with the app's life cycle. Okay, So you can start and stop activities, send simulated user inputs.
So you have a lot of control. You have a lot of control, okay, awesome, And then j unit provides those assertions yes, to make sure that the app is doing.
What we expect exactly.
Now, the book also talks about mock objects. What are those?
So mock objects are simulated versions of real objects Okay that your code might depend on. Okay, So, for example, if your code interacts with a database. You can create a mock database RCHA so that your tests don't actually have to connect to a real database. Makes sense, which makes your tests run much faster and more reliably.
Right, because we don't want our tests to be dependent on like the network or something exactly.
And there are some great libraries for creating mock objects.
Cool like Machito.
Machio's a popular one.
Yeah, I've heard of that one. So we've got all these great tools and techniques for testing we do, but how do we actually run the tests?
Well, Android Studio has a built in test runner Okay, that makes it super easy to run your tests and see the results.
And it works with jone it.
Yes, it integrates seamlessly with June It awesome.
All right, So it seems like androids Studio has everything we need.
It does, And there are also a bunch of external tools that you can use if you want.
Oh yeah, the book mentions like spoon and robo Electric.
Yeah, those are great for running your tests across multiple devices or on your computer without needing an emulator.
Very cool. And then there's Monkey.
Oh. Monkey Monkey is so much fun.
It throws chaos at the app.
It does It basically just simulates random user interactions seas if it breaks and seas if it breaks.
That's awesome. Wow, this has been quite a deep dive has into the world of Android app security. We've talked about so much, so much, building a secure foundation, protecting data, secure communication, authentication, and of course testing everything. I feel like I've learned so much.
Me too, And the biggest takeaway for me is that security is a journey, not a destination.
That's a good way to put it.
It's something you have to be thinking about constantly.
Yeah, and always staying up to date with the latest threats. Awesome. Well, if anyone wants to learn more about the stuff we've talked about today, yeah, the book we've been using, Testing and Securing Android Studio Applications is a great resource.
It is, and there's also a ton of information online and a really active Android developer community.
So many resources. Awesome. Well, thanks for joining me on this deep dive.
This was fun.
I had a great time. Until next time, Happy coding everyone,