androidapptesting2e

Subtitle

Entersoft Essentials: Security Guidelines to Secure Your Android App


Mobile app security checklist
Lack of security standards at any market helps it be tough to manage security controls in an application level. Having a strong security checklist set up not only improves app security but the ecosystem mixed up in the development process, as well. Also, robust security standards and well set guidelines differentiate a platform from your others.

This checklist can help you turned into a leading market in terms of application security.

1. SSL implementation check

Checking SSL implementation is the vital thing to many apps. This protects the app from MITM attacks as well as secures communication involving the mobile app and server.

2. Sensitive information management at client side

An application should never store sensitive information like encryption keys, username, passwords in shared preferences, files etc in local pool or memory. Just in case a software stores sensitive information from the database, encrypting the database with SQLCipher library is recommended. Sensitive information needs to be landed whilst the app is uploaded on the industry.

3. Code obfuscation

Strong code obfuscation standards should be available. Applications should encrypt or obfuscate the code to prevent reverse engineering.

4. Obsolete cryptographic libraries identification

Apps should use the latest cryptographic algorithms which can be safe and recommended. App developers must avoid using their unique implementation of cryptography.

5. Validation checks at both client side and server side

Sometimes developers perform validations limited to the customer side. This leaves the server at risk of MITM attacks. Check for input validations at all possible scenarios.

6. Input sanitisation

Sanitise the consumer inputs to free them from malicious characters. Apps should use whitelisting to generate a listing of allowable characters.

7. Encode and decode

Apps must always make use of a standard encoding for encoding user inputs from client side and implement the decoding mechanism to decode your data with the client that's sent through the server side. All encoding and decoding standards will be tested.

8. Implement checksums and tokens

A best practice for developers is usually to implement checksums on the data that's passed from client on the server to look for the integrity with the data. Implement tokens for shielding the app from CSRF attacks.

9. Secure response headers

Check for implementation of secure response headers.

10. Authorisation testing

Test authorisation at every level. Apps should have resources with the server side properly configured using the user roles inside the application.

11. Session management

Sessions ought to be properly carried out to avoid session based attacks. Developers should generate random sessions and be sure the sessions are terminated after a particular time period or after inactive usage. You should look for the expiration of sessions after logout or previous session can be used for account takeover.

12. Protect the OS components

A checklist to determine the exported=false for the components in android application if it is not desired for that other applications to interact with all the components with your app.

13. Implementing password policy

Most mobile phone applications still employ weak password policies. Utilizing a minimum password duration of 8 and ensuring the password contains no less than one numeric, one uppercase, one lowercase, one special character will ensure security at human level.

14. Implement Captcha
Mobile app security checklist
To prevent brute force attacks, apps should implement reCAPTCHA from google.