The widespread adoption of Android by a vast range of devices from very different price niches has led to a huge market. Businesses that want to stay visible and engaged with their clients (or employees) have to ensure they have mobile apps among other things. Choosing a trustable app development company, however, might be a challenge. Nix Solutions is a web and mobile software development company and a top rated member of Upwork (joined in 2002) with a 98% rate of job success and about $10 million earned on more than 2100 jobs.
The GitHub open source portfolio of the company can be found at https://github.com/nixsolutions/portfolio. Given that the company also has expertise in Android development, below is a general overview of the most prominent security issues related to the platform, as observed by the company.
Poor API Management
A coding issue that deserves separate mention is the problem of APIs. Given that these are responsible for integrated functionality and data exchange between applications, users, clouds, and given the fact that these can be reused from other parties, developers must be very aware of the types of data these exchange and the potential security vulnerabilities.
Missing Binary Protection
If this is absent, the code can be reverse engineered in order to introduce poor quality or even malicious sequences (malware, viruses), with resulting impaired user experience, impaired software manufacturer image, or even financial fraud and user data theft. Thus, various binary hardening techniques need to be employed, such as checksum detection, jailbreak detection, debugger detection, etc. In addition, code obfuscation and encryption should be used.
Insecure Data Storage
Given that native apps store all of the data and functional code on the device, these are way more vulnerable to exploitation and viruses compared to web applications. In addition, theft of the user’s device can result in personal data misuse, with all of the consequences that can result from this. A wise solution would be to implement an additional level of encryption on top of that coming with the OS or at least storing user data and files in encrypted containers.
Despite the encryption efforts, developers might make some mistakes that would allow ill-intentioned parties to decrypt sensitive data. Common reasons for this include insecure encryption algorithms, custom protocols, or an excessive dependence on in-built encryption. Obviously, the solution is to use strong, acknowledged encryption protocols coupled with an efficient implementation.
Poor Cache Management
One potential mistake is to leave the cache unprotected and to allow sensitive data to be stored here. To counteract this, a smart cache cleaning cycle must be implemented. The same refers to log and browser cookie management.
Poor Use of Authentication Measures
Devices nowadays have many features enhancing security, such as fingerprint scanners and face identification (besides traditional features, such as passwords, gesture unlock, etc.). Hence, it is a good idea to use the most secure features available to date (or a combination of them) without obstructing user experience. Of particular importance is the implementation of access tokens (users are not required to introduce the login credentials each time they access the app) such as: JSON web tokens, OAuth2, OpenID Connect.
Insecure Network Connections and Poor Server Security
Data that is exchanged between the application server and the user, or the user and the Internet has to be protected from third parties or from accidental leaks. Some recommendations include:
⦁ establishing encrypted connections by means of VPN,
⦁ implementing certificate pinning,
⦁ contracting the services of a network security company to perform penetration testing,
⦁ encrypting user databases (on servers).
Poor Session Handling
The concept typically denotes those situations when users are not being logged out from their sessions when this should be appropriate, resulting in excessively long sessions, which come with risks and potential for exploitation (if access tokens are stolen or the device is stolen). One solution is to request user credentials (e.g., passwords) additionally for any important action within the app.
Insufficient Security Testing
Many errors are introduced due to insufficient testing of the app’s code. Developers need to test their code for vulnerabilities (using device and browser emulators). Also, the security testing employed by Google Play when approving the app is not an all-encompassing solution, thus requiring additional measures by developers.
If you have a development project in mind and are looking for a company to execute the job with all of the security measures appropriately implemented, feel free to explore Nix Solutions reviews by more than a 100 clients who have already contracted their services.
We thank Nix Solutions for sponsoring this post. Our sponsors help us pay for the many costs associated with running XDA, including server costs, full time developers, news writers, and much more. While you might see sponsored content (which will always be labeled as such) alongside Portal content, the Portal team is in no way responsible for these posts. Sponsored content, advertising and XDA Depot are managed by a separate team entirely. XDA will never compromise its journalistic integrity by accepting money to write favorably about a company, or alter our opinions or views in any way. Our opinion cannot be bought.